An anonymous reader quotes a report from Motherboard: Yodlee, the largest financial data broker in the U.S., sells data pulled from the bank and credit card transactions of tens of millions of Americans to investment and research firms, detailing where and when people shopped and how much they spent. The company claims that the data is anonymous, but a confidential Yodlee document obtained by Motherboard indicates individual users could be unmasked. The findings come as multiple Senators have urged the Federal Trade Commission (FTC) to investigate Envestnet, which owns Yodlee, for selling Americans' transaction information without their knowledge or consent, potentially violating the law.
The Yodlee document describes in detail what type of data its clients gain access to, how the company manages that data across its infrastructure, and the specific measures Yodlee takes to try and anonymize its dataset. The transaction data itself comes from banks, credit card companies, and apps that Yodlee works with, including Bank of America, Citigroup, and HSBC, according to previous reporting from The Wall Street Journal. According to the 2019 document Motherboard obtained, the data includes a unique identifier given to the bank or credit card holder who made the purchase; the amount spent for the transaction; the date of the sale; the city, state, and zip code of the business the person bought from, and other pieces of metadata. Once logged into Yodlee's server, clients download the data as a large text file, rather than interacting with the data in a dashboard or interface that stays solely within Yodlee's control, according to the document. Yodlee does remove personal identifiable information (PII), such as names, email addresses, account numbers, SSNs, and phone numbers, but it "does not remove spatio-temporal traces of people that can be used to connect back the data to them," says Vivek Singh, assistant professor at Rutgers University. As Motherboard notes, "spatio-temporal traces are the various pieces of metadata that the document shows are included with the transaction -- the date, the merchant, the physical location of the sale, and more."
"If an attacker can get hold of the spatio-temporal coordinates for just three to four randomly picked transactions in the dataset, then the attacker can unmask the person with a very high probability. With this unmasking, the attacker would have access to all the other transactions made by that individual," Singh said.
Read more of this story at Slashdot.