Community
1230 words, 4:50 min read
An Orwellian Dystopia
As more and more payments become digital, a key question for payment systems architects is how to preserve the privacy of their users. Without privacy, payments systems risk becoming surveillance systems for government agencies and for corporations. In turn these can be extended into control systems where third parties have the information to decide and control who has access to public and private services, based on whatever criteria they choose.
It sounds like an Orwellian dystopia, but the risk is very real - it is well within today’s technology capabilities to monitor everyone’s payments, purchases, subscriptions, donations, income and gifts, together with their location, travel patterns, online searches, email, phone, photos, gaming, reading, political, religious, medical, social media and face-to-face interactions. If it can be done, it will happen unless circuit breakers and controls are put in place to prevent it.
Privacy Risks
In analysing this risk, a good place to start is to examine how payment systems today can be used to compromise an individual’s privacy. Bank account and credit card statements are obvious starting points – between them, they contain a detailed picture of an individual’s electronic payments and income. Open banking is opening up access to information in these accounts to third parties, and the amount of information in them is ballooning due to cash displacement by contactless cards and online bank transfers. Open banking is enabling new innovations and business models, but it also poses privacy risks.
Some examples:
1.) a parent giving their daughter £10 pocket money. This should be completely private and undetectable, no-one has any reason to know about this transaction, nor how the child goes on to spend the £10. If the pocket money is paid in cash, this privacy is preserved. However, if it is paid through online banking, both the parent’s and child’s bank record the transaction and the child’s bank records how the money is spent. If either has signed up to a service using open banking, then this information is available to a third party to use - which may be legitimate, and agreed to by the parent and child, but the information is no longer private to them. Do they fully understand the implications, how sure are they the third party will protect the data and use it only for the perceived purpose they claim?
2.) a government tax agency making it easier for say, freelancers to calculate and pay their income and sales tax owed, if they give access to their bank account transactions to a government tax application. However, the tax application will see a complete record of the freelancer’s banking history, risking the freelancer’s privacy if the information is then made available to any other government department that wishes to use it.
Federated identity systems are also a risk to privacy. Examples are a government id, social media id, email id or bank id, where the same credentials allow logins to multiple applications. However, they may also be a means to link the data together from these applications. This privacy risk is similar to the risk of getting hacked if the same password is used over and over on different websites and mobile apps.
Super apps which combine multiple functions into one app such as search, payments, banking, travel, tickets, health, social media, shopping also are also privacy risks as they pool data and access to it in one place.
There is of course real value, convenience and innovation to be had from open banking, federated identity, and super apps, in particular great customer experiences and exciting new products, services and business models. Additionally, access to linked data helps law enforcers fight crime, including financial crime such as money laundering and sanctions violations.
However, payments data is also a liability for those who have to handle it. In particular merchants who process payments. They spend huge sums complying with requirements such as PCI and GDPR, and face massive fines if they get it wrong (e.g. British Airways was fined $230m recently for a sophisticated hack of card data from its website). Data is a double-edged sword for many companies, where the compliance cost and downside from handling it incorrectly can be in excess of any upside from the customer insight and convenience it brings.
Privacy v Customer Experience
Unless privacy protection is designed into new applications, including payment systems, it becomes an afterthought and ends up as a compromise between privacy and customer experience. This is similar to security where there is often a trade-off between secure applications and customer experience.
However, the need for a balance between privacy and customer experience (and between security and convenience) is a false narrative spread by vested interests, in particular by commercial companies who want unfettered access to consumer data. It is common to hear from them comments such as “we are in a digital age, it is inevitable everyone’s data will be freely available, those who worry about it need to get over it, privacy is dead”. This is pernicious, dangerous and self-serving - in reality no such balance is necessary between privacy and experience, they can co-exist provided they are designed in from the start.
Privacy Solutions for Payment Systems
So what solutions can be designed into payments to protect individual privacy?
Some examples/ideas:
Privtech v Big Brother
Just as technology makes surveillance through payments systems possible, so it can be used to ensure privacy. I have suggested just a few ideas here, but I expect a whole new industry of privacy technology, or “Privtech” will materialise, building sophisticated solutions to protect our privacy while enabling frictionless customer experiences.
Privacy is a human-right. It is critical that privacy is protected, and that payments systems are architected to protect privacy. Without it, we risk unaccountable state surveillance and uncontrolled commercial exploitation of personal data – an evil world where, to quote Orwell, “Big Brother is watching you”.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Kyrylo Reitor Chief Marketing Officer at International Fintech Business
15 November
Francesco Fulcoli Chief Compliance and Risk Officer at Flagstone
Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.
14 November
Jamel Derdour CMO at Transact365 / Nucleus365
13 November
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.