Banks in the US and elsewhere have been selling anonymous information about customers’ spending habits for a long time. Now, Norway’s largest bank plans to do the same. Here’s what our security team has to say to that.

Many big banks track every card transaction their customers make and go on to sell that information to third parties.

If you live in the US, chances are that every time you buy something with a debit or a credit card, your bank learns a bit more about you. It already knows about your spending habits – your favorite shops, how often you eat out, whether you drive or take the bus to work, how often you go on holiday, and so on.

Banks the world over have been selling anonymous, aggregated data about customers’ spending habits to other businesses for a long time. But up until now, that hasn’t been the case in our home country, Norway.

Earlier this week, Norway’s largest bank DNB announced that they’ll start selling information about customers’ transactions, such as card or payment solutions, geolocation, gender, and age.

Vivaldi security expert Yngve Pettersen (@TechieNotNetie) is concerned about how the data will be broken down:

The data that your bank has is very sensitive. Depending on how this is implemented, there might be issues. Imagine that you buy medicines with your card or pay for hospital bills. Even if you just bought something in the kiosk of the cancer hospital on consecutive days, that might reveal something.

In addition, Yngve says that some data should be filtered out of the statistics:

There should be a threshold. Filters should ensure that the data reveals what many people buy, not what one person buys. If there are too few people buying something, it becomes easy to identify the buyer.

There have been several cases of “anonymous” data being de-anonymized. Yngve adds:

Statistical data is less likely to be used to track down a person but you might be able to connect stuff if you map it with something else.

To Vivaldi founder Jon von Tetzchner (@jonsvt) this is less about being identified, but rather about what can be done with the data:

Facebook and Google use such data to track purchases done offline and tie them into ads seen online. So the advertiser may not know who you are, but they know what you buy and how you buy. That can be used to influence you during a political campaign.

This practice is all the more alarming in the light of ongoing scandals embroiling Facebook and data firm Cambridge Analytica. For Jon von Tetzchner, this is a slippery slope:

Here there is no concept of privacy. Just the right to spy. We do not want to go there in Norway.

Julien Picalausa (@neartothesky) would like to know what they are planning to share exactly:

In general, it is hard to share datasets that do not allow to build profiles. It is a bit surprising that they are planning to do this, given that they are subject to GDPR. It must be the case that bank customers have already accepted this through some lengthy terms of use. I would definitely not want to stay with a bank that potentially sells my data.

In Norway, the use of cards is widespread. That means that for many customers 100% of purchasing habits will be tracked and sold.

The new “touch only” cards with their automatic payment for low sums are making card payments even easier and will provide the banks with even more detailed information.

The problem is that there is nothing illegal about any of this. Jon von Tetzchner says:



This is another example of why the use of data should be regulated. The banks should have no right to do this.

* * *

The book “Weapons of Math Destruction: How big data increases inequality and threatens democracy” by Cathy O’Neil discusses the usage of such data in the US.