When you sign up for a digital service that asks you to sign a long terms-of-service agreement, chances are that company is going to be sharing your data with third parties. But what data is being shared with whom, and why, is often shrouded in secrecy–or at least confusing design, legalese, and hard-to-find disclosures.
A new tree diagram created by the designer and researcher Rebecca Ricks charts out all the different third parties with whom the online payment company PayPal “may” share the data of users who live in Europe. Based on a spreadsheet the company posted online at the beginning of January 2018 in order to comply with the EU’s strict data privacy laws, the visualization breaks the many companies that receive customer data from PayPal into broad categories and details what data is being shared and why. In essence, it’s a list of PayPal’s European service vendors, all of whom are supposed to be using the data to perform services for PayPal.
Ricks’s visualization is a useful tool that should exist for every company that shares the personal data of its customers with third parties. “As consumers we don’t have transparency into how this system works,” Ricks says. “I think people don’t realize their data is shared with third parties. For me, a data viz is a really easy way for people to see what information is shared about them.”
The categories in Ricks’s visualization include “payment processors,” which mostly consists of global banks–logical entities to share data with, given the fact that you can transfer money from PayPal to many banks. Then there’s a category for “credit reference and fraud agencies,” which includes Russia’s National Credit Bureau. A third category consists of companies in “marketing and public relations,” including many email marketers, customer service surveyors, and companies that do targeted advertising, like Google and Linked In. PayPal shares data like name, date of birth, social security number, and even users’ pictures with a wide variety of services, including those that collect debt or validate a user’s identity–and even ones that run survey sweepstakes for the company.
Some entries are ambiguous. Take Microsoft, under the “operational services” category. PayPal apparently supplies the tech company with an image of a customer–a photo or video–or their image from an identity document for the purposes of “facial image comparison for fraud protection” and “research and testing as to appropriateness of new products.” The former sounds like some kind of facial recognition system that PayPal uses to look for fraud. But the latter is uneasily broad. What kind of research is Microsoft doing using pictures of PayPal users’ faces? PayPal did not comment on this specific question.
By putting these revelations in the form of a data visualization, Ricks is trying to make it far easier for consumers to easily see how PayPal is spreading its data around to dozens of third parties. Even if a user might trust PayPal, it’s hard to know if all of these third parties are trustworthy or have any kind of data security. This practice of sharing personal data with third parties is common, and PayPal is just one example.
Ricks, who’s currently a Ford Mozilla Open Web Fellow and works at the organization Human Rights Watch, focuses on issues related to online privacy and internet freedom in her day job. “I’ve been researching and thinking about data brokers, and how PayPal and some of these other companies aren’t data brokers but function as de facto data brokers, in that they’re packaging information and selling it to third parties,” she says. “This is a conversation we’re having all the time, but it was cool to actually see examples of what kinds of customer data they’re sharing and who they’re sharing it with.”
Ricks was particularly surprised that PayPal released the information at all, surmising that it might be legal compliance–or an attempt to get ready for the new data protection law passed in Europe that will require far greater transparency from any company that processes EU citizens’ personal data in the coming months. PayPal confirmed that the page comes from the company’s European entity, and was published to adhere to current EU data laws. It does not apply to American users of PayPal, and the company does not publish a similar list of the third parties that receive its American customers’ data because it’s not required to do so.
It would be a great resource for consumers if all companies that collect and share their customers’ personal data were up-front about how they were sharing it–and better yet, if they presented it through this kind of visualization, which makes it much easier to comprehend the overwhelming scale of the list and dig into particular categories.
In the new few weeks, Ricks hopes to create another version of the visualization that lets users ask who has their date of birth or their email and see the huge network of companies with whom PayPal has shared that data. She also wants to reach out to other tech companies to ask if they’ll share similar data so she can build a transparency resource for consumers to reference when they decide to sign up for yet another digital service. Publishing this kind of information is common practice in the EU because of stricter privacy laws, and Ricks’s work shows how legislated transparency is useful in bringing the internal mechanisms of data sharing to light.
“When you can present it in a way that’s engaging, you can draw people’s attention to how data is organized that they probably wouldn’t have been looking at in a spreadsheet,” Ricks says. “You can take this info sitting in a spreadsheet and make it more palatable and interesting and relevant to people.”