When bitcoin faithful began preaching the virtues of anonymous currencies, the pitch sounded familiar.
“I thought, ‘Haven’t we got that already?’" said Kirsten Thompson, a partner at Dentons and national lead of the firm’s transformative technologies and data strategy group.
“Cash, not bitcoin, was the original anonymous currency and we lose something by getting rid of it.”
In advising big banks and financial services companies on cybersecurity and payment systems, Ms. Thompson is more attuned than most to the risks and implications of cashless payments.
The shift toward a cashless society is well under way in Canada, as credit and debit cards, online transactions and digital wallets increasingly replace cash as the preferred modes of payment. Cash now accounts for just 12 per cent of point-of-sale transactions, according to Payments Canada’s most recent report. And payment processor Moneris forecasts that, by 2030, just 10 per cent of all commercial transactions in Canada will be settled with cash.
While widely adopted for ease of use, cashless payments also give rise to a host of security and privacy concerns, including vulnerability to hacking and data breaches, and how consumers’ personal data are used and disseminated.
Every non-cash transaction leaves a digital trail. Each tap or swipe of a credit card reveals, at a minimum, one’s identity, basic financial account information, purchase amount, as well as location and time. Credit cards attached to loyalty programs additionally track shopping habits. Online purchases can also reveal one’s IP address and details on browsing history. And some phone payment apps may track their user’s movements.
The direct concern about the flow of personal data generated by electronic and digital payments is the possibility that this information isn’t properly secured, and that malicious actors can gain access to sensitive personal and financial information.
There are numerous examples of vast troves of payment data being compromised. Last November, Marriott International Inc. disclosed that hackers gained access to its database and stole the credit card information for more than 100 million hotel guests.
On an individual level, there may also be revealing details to be mined from someone’s transaction history.
“It is not hard to think of examples where the information about the purchase of a good makes the individual vulnerable: a purchase indicating that the individual has high wealth, or a purchase that may be embarrassing, even if perfectly legal,” Charles Kahn, a research fellow at the Federal Reserve Bank of St. Louis, wrote in a recent discussion paper.
Cash satisfies a basic desire for anonymity that electronic and digital payments cannot offer, said Tyler Chamberlin, a business professor with the University of Ottawa. “There’s a general idea that people have a right to privacy, that you don’t get to know where I am, what I do, what I consume,” Dr. Chamberlin said.
Or, as Mr. Kahn puts it, “a right to be forgotten.”
And yet, while many consumers express alarm over how their personal data might be used or abused, they also seem to readily forfeit their own privacy when given the chance, Dr. Chamberlin said.
Participating in a credit-card loyalty program, for example, essentially involves a trade-off whereby users collect points in exchange for giving access to their transaction data.
“At their heart, loyalty programs are an attempt to get visibility into the granularity of your purchases,” Ms. Thompson said. “Companies are looking to monetize that information for advertising purposes, and for generating consumer insights.”
That kind of data is most commonly used for targeted advertising and personalized promotions based on one’s shopping habits.
While that might seem like a relatively innocuous use of payment data, retailers can unearth some intimate details of their own customers’ lives based on what they buy. In 2012, a New York Times article detailed how Target Corp. statisticians came up with a way to predict which of its shoppers were pregnant, by homing in on purchases of products such as supplements and lotions, and generating a “pregnancy prediction” score. The resulting ads even tipped off one Minneapolis father that his teen daughter was pregnant.
Increasingly sophisticated computer systems and algorithms, meanwhile, are able to glean ever deeper insights from personal data, especially when combined with other sources of data, such as social-media activity. Purchase history, coupled with behavioural information, can help generate a close approximation of a person’s credit rating, for example.
“It’s not a person looking at your data any more. Machines and algorithms are looking at your data and creating a profile of you,” said Ale Brown, founder of Kirke Management Consulting, a Vancouver-based privacy consulting firm.
There is the risk that automated decision-making can result in flawed inferences, Ms. Brown said. “You don’t know how that information might affect you in the future. Are my insurance rates going to go up because of something that I purchased?”
There are many organizations dabbling with data analytics these days. And their intentions are generally legitimate, Ms. Thompson said. But whenever personal data are amassed, there is the risk of the data being abused or falling into the wrong hands. And when it comes to payments, there’s really only one way to avoid that.
“When I want to opt out of being tracked, or being marketed to, or generating more data to be fed into analytics, I use cash,” Ms. Thompson said.
This is the last of a multipart series that looks at Canada’s movement toward a cashless society.
Tim Shufelt