September 10, 2014
Monica Jackson
Office of the Executive Secretary
Consumer Financial Protection Bureau
1275 First Street, NEa
Washington, DC 20002
Re: Request for Information Regarding the Use of Mobile Financial Services by Consumers and Its Potential for Improving the Financial Lives of Economically Vulnerable Consumers
Docket No. CFPB-2014-0012
Privacy Rights Clearinghouse comments submitted electronically via http://www.regulations.gov
Background
The Privacy Rights Clearinghouse (PRC) respectfully submits the following comments in response to the Consumer Financial Protection Bureau’s (CFPB) Request for Information Regarding the Use of Mobile Financial Services by Consumers and Its Potential for Improving the Financial Lives of Economically Vulnerable Consumers (RFI).
The PRC is a nonprofit consumer privacy education and advocacy organization.[1] We serve consumers nationwide and have invited individuals to contact us with their privacy complaints and inquiries since 1992. Our mission is to engage, educate, and empower individuals to protect their privacy. In turn, we identify trends and communicate our findings to advocates, policymakers, industry, media and other consumers.
In line with our mission, PRC seeks to encourage positive consumer use of mobile financial management tools while discouraging commercial and consumer activities likely to lead to predatory practices and compromised privacy and security. We also encourage high quality consumer education on national and local levels.
Question 18. Privacy and security concerns have been cited as reasons consumers do not use mobile banking and mobile financial management services. What are the specific types of privacy and security concerns?
Mobile banking and financial management services can provide consumers with convenient access to valuable tools. This is especially true for unbanked and underbanked individuals whose primary mode of accessing the Internet may be via a mobile device.
In order for consumers to fully benefit from these services, regulators, companies, and consumers must address many privacy and security concerns. We have listed some of these concerns below.
Security
Most individuals do not use security software or even take basic security precautions when using their mobile devices.[2] Consumers face security risks in the real world and online. Both physical theft and malware are major concerns. In addition, many consumers do not understand the importance of using a secure Internet connection. This is particularly important when individuals use open Wi-Fi networks and/or access sensitive information through apps or websites that are not secure.
Anyone can create an app. This means there are malicious apps designed to scam consumers. It also means that not all apps offer the same level of security or privacy.[3] The major app stores, such as the Google Play store and Apple iTunes store are more likely to catch bad actors than other third-party app stores (consumers should be encouraged to be wary of using such app stores). However, even if an app isn’t malicious, it may still contain security vulnerabilities.
Consumers should be encouraged to do their research and also update their software on a regular basis. App developers must create their products with security in mind and address vulnerabilities and the potential for data breaches.[4] Enforcement agencies must protect consumers and hold companies accountable.
Consumers who use texting rather than smartphone browsers or apps face the potential of being targeted by scams involving spoofing. Many consumers we speak with are not aware that scammers have the ability to spoof a call or text to make it appear that it is coming from a legitimate company. We believe more consumer education is needed to address this issue, especially if consumers are engaging in financial transactions via text.
Privacy
Mobile devices can store and generate an enormous amount of valuable information on a person. Mobile devices such as smartphones travel everywhere with consumers and can contain and reveal potentially sensitive information. For example, a smartphone can reveal a person’s location at any given moment and throughout the day. In addition, many people also use mobile devices in conjunction with monitoring their health.
Ideally, a service would only collect the information it needs to perform its function. However, a common mobile app business model is to offer a service in exchange for access to data rather than money. For individuals who use a mobile device as their sole method of carrying out financial transactions as well as accessing the Internet, this may pose additional risks.
It is difficult for individuals to read privacy notices on small mobile device screens.[5] It is hardly realistic to expect consumers to read and understand lengthy and legalese-laden privacy policies on a computer with a large screen. It is completely unrealistic to expect a consumer who only has access to a mobile device with a small screen to read the privacy policies and terms of the apps they download and other services they use. Unless there is a widespread change regarding how privacy notices are delivered to consumers on mobile devices, consumers will not be able to compare and choose services by their terms and policies. There have been efforts to address this dilemma, but we aren’t aware of any effective solutions that are being used on a broad basis.[6]
The largely unregulated data broker industry trades in consumer data to create detailed profiles. Consumer data is valuable and is being collected, shared, and used in massive quantities by companies that are largely invisible to the individual consumer. This includes data that many individuals consider sensitive, such as financial and health information.[7] For more information on the data broker industry in general, see the Federal Trade Commission’s May 2014 report: Data Brokers: A Call for Transparency and Accountability.[8]
The creation of detailed personal profiles may result in discriminatory practices. Even if a consumer is fully aware of the data collection practices of a mobile app or service (which is unlikely), it is even more difficult for consumers to predict and understand how their information may be aggregated and used in a potentially discriminatory manner.[9] We believe this is a great risk that extends beyond the mobile environment, and may lead to low-income and at-risk individuals being targeted with products or scams that expose them to financial harm. In addition, consumers may be precluded from receiving better offers that they may be eligible for. We believe this issue needs to be addressed by all agencies tasked with consumer protection.
What actions should consumers take to protect their information and identity?
The PRC believes that consumers should have access to easy-to-digest information, available in many forms of media and different languages, so they may obtain and maintain a general understanding of security, privacy, and common scams and social engineering tactics. Consumers should be aware of the value of mobile devices themselves as well as the information stored on or generated by the device. Consumers should also understand the importance of protecting their own sensitive information such as a Social Security number and financial account information.
However, consumer education by itself is not a viable or equitable solution. We believe that protecting the privacy and security of consumers’ information in a technologically complex ecosystem is a duty that must reside primarily with the companies creating, employing, and ultimately profiting from these services. Privacy and security must be built into the products from inception and addressed consistently.
The CFPB and all other agencies tasked with consumer protection must use their authority to encourage and maintain a safe marketplace for all consumers through education, rulemaking, public policy efforts, and enforcement.
[1] See Privacy Rights Clearinghouse, About the Privacy Rights Clearinghouse, https://www.privacyrights.org/content/about-privacy-rights-clearinghouse.
[2] See e.g. Consumer Reports, Smart phone thefts rose to 3.1 million last year, Consumer Reports finds, available at http://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-last-year/index.htm (last updated May 28, 2014).
[3] In 2013, Privacy Rights Clearinghouse conducted a study on mobile health and fitness apps. The materials we published highlight some of the privacy and security concerns facing consumers, and offer tips to application developers. Privacy Rights Clearinghouse, Mobile Health and Fitness Apps: What are the Privacy Risks?, available at https://www.privacyrights.org/node/57216 (last visited Sept. 10, 2014).
[4] For more information on data breaches, see PRC’s Chronology of Data Breaches at https://www.privacyrights.org/data-breach.
[5] See e.g., The Atlantic, Why Privacy Policies Are So Inscrutable, Sept. 5, 2014, available at http://www.theatlantic.com/technology/archive/2014/09/why-privacy-policies-are-so-inscrutable/379615/.
[6] One example is the National Telecommunications & Information Administration’s (NTIA) Privacy Multistakeholder Process regarding mobile application transparency. For more information, see http://www.ntia.doc.gov/other-publication/2013/privacy-multistakeholder-process-mobile-application-transparency.
[7] See e.g. Pam Dixon and Robert Gellman, The Scoring of America: How Secret Consumer Scores Threaten Your Privacy and Your Future, The World Privacy Forum, April 2014, available at http://www.worldprivacyforum.org/wp-content/uploads/2014/04/WPF_Scoring_of_America_April2014_fs.pdf.
[8] Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability, May 2014, available at http://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
[9] For a thorough description, read the White House report titled Big Data: Seizing Opportunities, Preserving Values at http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf.