Comment by inahga
5 months ago
There are quite a few interesting tracking flows out there.
My rent is paid through a company called Bilt.
I discovered that when I shop at Walgreens now, Bilt sends me an email containing the full receipt of what I bought like so:
> Hey [inahga],
>
> You shopped at Walgreens on 12/1/24 and earned Bilt Points with your
> Neighborhood Pharmacy benefit.
>
> Items eligible for rewards
> TOSTITOS HINT OF LIME RSTC 11OZ
> $3.50
>
> +3 pts
> TOSTITOS RSTC 12OZ
> $3.50
>
> +3 pts
> Other items*
> EXCLUDED ITEMS
> $0.07
>
> *May include rewards-ineligible items and/or prescriptions.
Ostensibly (hopefully) it would exclude sensitive items, plan B, condoms, etc...
I'm curious how this data flows from Walgreens to my rent company, but maybe I'd rather not know and just use cash/certified check from now on.
This is called Level 3 data, and any merchant can choose to provide it for a reduction in the transaction fees they pay.
Here's a small comment thread from a few months back: https://news.ycombinator.com/item?id=41213632
So in essence the merchant pays with my data?
In theory you’re already paying the merchant fee in the “price”. So merchant found a way to improve margins and credit card companies found a new revenue source
Yes, though people also welcome the extra cash back or other card benefits.
Apple Card does not sell this data, IIRC. But offers a lower cash back than many other cards.
18 replies →
This is the real reason why they can afford to give you cash back.
It’s honestly crazy that we allow companies to sell our data — and even financially incentivize companies to share our data like this.
The problem is that to you it seems like your data but to Walgreens they see it as theirs. They generated it with their point of sale system.
The data is about a transaction that you made, but they generated all of it.
Until we have agreement as a society about what “my data” means, this kind of stuff is going to run rampant.
18 replies →
It’s amazing how little control we have over information that is the most personal essence of our lives.
Why do we have zero insight, no control. Nothing.
I hate it so much.
Thanks for the details.
> choose to provide it for a reduction in the transaction fees they pay.
That would explain why I can use my credit card for rent without a transaction fee! No free lunch!
Who is Level 3 data shared with, ie who is the aggregator? Is it the credit card bank then aggregates and sells it?
Is there any documentation on this to read further? I.e. what the different levels contain and how much on average is the cost reduction for the merchant.
Here is implementation documentation from Mastercard about l3: https://na-gateway.mastercard.com/api/documentation/integrat...
The cost reduction is very small, it’s applied to interchange fees. I’ve been directly responsible for implementing this functionality on payment gateways for multiple processors because it helps reduce fraud holds as well.
5 replies →
"Bilt Members can earn points on Walgreens purchases made using any card linked to their Bilt account."
https://support.biltrewards.com/hc/en-us/articles/2901187842...
There's that FSA/HSA benefit section at the bottom which explicitly states that Bilt receives item-level data:
https://www.biltrewards.com/terms/walgreens
That just sounds like a standard cross-merchant loyalty program? I don't think there are many examples in the US, but once you realize it's a loyalty program you really shouldn't be surprised that they're tracking your purchase history. That's basically the entire premise.
In Germany, the major cross-merchant loyalty program Payback gives you one or two rounds of extra consent choices about the tracking, and the type we see here is absolutely not mandatory for participating. It does of course let them give you more personalized and useful coupons, but one can participate while declining that permission.
> it's a loyalty program
calling something loyalty does not make it "loyalty" ..
14 replies →
I believe that's opt-in. At least it seemed to be when my landlord switched to Bilt.
There's a section of your Bilt profile that shows your other credit cards and whether you want them linked. It's pretty freaky to see them listed in the first place.
I definitely keep them off.
Bilt is ultimately a big points/reward program though, so you might get points for having them connected.
I still haven't figured out exactly what Bilt's business plan is, but the main part seems to be trying to get as much financial data on people as possible, and partnering with landlords to do so, and since it's how to pay your rent you can't unenroll completely. (Unless you maybe mail your landlord a paper check?)
It was opt-out for me. Or at least, I was never given informed consent that this data exchange going to take place.
The landlord of course makes it _seem_ like you have no other modes of paying rent. The cashier’s check option is buried in the fine print.
Dark patterns all around IMO.
It was initially opt in for me, then they made it mandatory.
(Sure, I could pay by check but consumer banking technology/US in the US already feels like is is lagging a decade behind other countries without voluntarily going further back. Paying by check every month would be quite inconvenient.)
I'd already decided to avoid bilt as much as possible, but reading this thread prompted me to try going a little further.
Looking through their privacy policy it talks about what California residents can do under CCPA: https://legal.biltrewards.com/policies
> Request to Know... The specific pieces of Personal Information we collected about you.
> You have the right to opt-out from having your Personal Information and Sensitive Personal Information sold to third parties. You also have the right to opt-out from having your Personal Information and Sensitive Personal Information shared with third parties for purposes of cross-contextual advertising
Might as well give this a go.
I’ve had to deal with Bilt [0]. In case you’re not aware, they have a “feature” called Instant Link that automatically pulls ALL of your personal and sensitive financial data from financial institutions, including your credit card accounts, balances, etc. They apparently do this via a partnership with a company called Method Financial [1].
It’s frankly the most intrusive thing I’ve ever encountered in any software I’ve ever used—I’m not sure how it’s even legal, but this is America where we have no real privacy rights.
Instead of giving you the option to opt in for them to get this level of access, they automatically enroll you into it when your account is created, pull your data, and then allow you to “opt out” afterward, which enables them to have access to your personal and sensitive financial data anyway. And since you literally must have an account with them if your building uses their services for rent payments, they’ve effectively rigged the system to force millions of folks to unknowingly give them access to their personal and sensitive financial data.
Anyway, in your Bilt privacy settings, there are some options you can disable (including Instant Link), and I recommend that you disable ALL of them, although given the dark practices of this company, I don’t even trust that those settings are actually honored.
Side note: Did you know about a company called Method Financial that somehow has real-time access to ALL of your personal and sensitive financial data? Did you know that this company you never heard of that has said access then sells that access to the highest bidder? Do you remember agreeing to any of that anywhere? Yeah, me neither (on all counts)…
[0]: https://www.biltrewards.com
[1]: https://methodfi.com
Thanks for the heads up. Luckily I can go back to analog with certified funds to pay rent. I suspect, without evidence, this is due to the relatively strong tenant protections in Chicago.
> just use cash/certified check from now on
You might want to discover about sophistication and pervasive facial recognition technology used by major retailers. Paid by cash? It can still be tracked to you. For "fraud prevention", of course.
Are you aware of cases where it is used for more that theft prevention/manual review of CCTV?
I'm not aware of any big retailers using facial data for targeting vouchers or anything similar.
Simple things like "did walk through the door with a child" would be pretty valuable data, yet as far as I know, nobody uses it.
>Paid by cash? It can still be tracked to you. For "fraud prevention", of course.
They can already track you through your phone and/or credit cards. Why bother setting up a massive facial recognition system for people paying with cash when they only account for 10% (or whatever) of overall shoppers, and have less disposable income than average?
I don’t know about the US but in the UK they did it ostensibly to catch shoplifters.
We have a major problem with “professional” thieves stealing because the big chains don’t want to pay cashiers anymore.
You see a screen with your face on it in places like Waitrose self service checkouts now. It’s their way of saying “we know who you are”.
Tracking cash purchases is just a side bonus for them.
idk why, but they do
8 replies →
Is there actual evidence of this, like anywhere?
Facial recognition on a small corpus of known faces (what everyone experiences on Facebook, their phones, etc) is an easy problem.
Walmart picking up a face walking into a store and matching it against 30 million possibilities is going to return so many false positive matches it’s going to be completely useless.
Facial recognition is illegal where I live, both for gov't and commercial uses. Several major cities in the US have banned it (e.g., San Francisco, Boston, etc.).
I'm assuming you're using your Bilt card when this happens. Your Bilt agreement stipulates how itemized transaction data (level 3 in payment terms, with level 2 being "enriched" with subtotals/tax and merchant information- which is what you typically see with your normal bank)
Card networks (Mastercard, VISA) have different fee structures that incentivize more detailed information like level 3 for lower processing fees for merchants - here's more details on levels https://na-gateway.mastercard.com/api/documentation/integrat...
https://support.biltrewards.com/hc/en-us/articles/5536526023...
Perhaps more interesting in your case is that if you had your card issues in or before 2022, it's likely with Evolve bank which was breached - https://medium.com/@HackLaddy/when-your-bank-doxxes-you-9152...
What's most interesting to me about that is that they are willing to disclose that data to your email provider. Amazon, for example, is pretty cagey about what you've bought when sending emails, probably because they don't want Google to be able to use that information to target ads to you. (Not because they are Good and care about your privacy, but because they think they're going to beat Google at advertising. How's that going?)
So yeah, I don't get why they would do this. It gives their advertising competitors valuable data for free, and it pisses off customers by telling them that they're being tracked when they shop at Walgreens. Strange stuff.
Oh, here I thought it was because every time I want to remember info about an order, it forces me back to their platform, rather than simply searching my email like I do for every other item I've ever purchased.
(And no, I don't use gmail.)
Loyalty cards are one avenue for data brokers to get your purchase history. Credit cards can also sell your purchase data. Currently the only safe-ish way to be anonymous is with cash. That may disappear with pervasive face recognition and cell phone tracking.
What’s most strange to me is why this Bilt company would pay for that data feed and somehow think it provides some value to you. It’s obviously just creepy way of saying we know too much about you
The best part of every post in the ycombinator is the comments. Always learn a lot.
I think another big problem is pharmacies. The amount of data shared with health insurance companies must be huge.
Things like that are on my mind when HN rants about GDPR. Something like this would be wildly illegal where I live.
FWIW in Illinois, where I’ve experienced this, there is a bill https://www.ilga.gov/ftp/legislation/102/billstatus/HTML/102... that appears to be GDPR-esque or CCPA-esque. Seems to have little interest though.
Unfortunately the GDPR is largely toothless if a company without an EU presence chooses to ignore it.
I live in Ireland and my data is in the databases of several US data brokers. Thise conpanies can't be forced to to comply with the GDPR because they simply do not have an EU presence. You don't have to search far to find stories from people people who made complaints to their local Data Protection office about such issues only to be told there's nothing that can be done.
A common discussion these days is the threat of a foreign app (TikTok) being used by a hostile government to track and influence Americans.
From my non-American perspective, the same thing is happening here. I distrust non-EU software by default.
HN rants about it because it’s not a good solution. It identified a problem but caused an idiotic fallout (cookie banners) and failed to actually put in a framework to enforce that companies aren’t just lying.
I agree but small stick to beat them is better than none.
I guess best solution would be usage of some proxy which intercepts these calls or provide fake data to them. As op in the article did.
> failed to actually put in a framework to enforce that companies aren’t just lying.
That's not true. I work in an European company and we were contacted by the agency to give a complete list of partners that we use, reasons for why it is justified, which routines we have for deleting old data etc.
I guess in theory we could have lied and made up data, but only an idiot would risk lying to the government. Everyone at my company took it seriusly and tried to provide as accurate data as possible. There were also several follow up questions that had to be answered.
The mindset of lying to the government to "protect" your employer seems so far fetched. Why should an employee lie to the government? If it turns out that the company was in violation of GDPR the worst case scenario for the company is a fine. If the government finds out you are lying, the employee faces jail time. The trade-off is simply not worth it.
Maybe it's easier to lie to the government in some countries, but not in my country. The government agencies actually checks and verifies your claims.
3 replies →
I've been seeing cookie banners on European websites long before GDPR was a twinkle in some Brussels bureaucrat's eye.
This happened to me with square (block). I bought furniture, and they used square and required my email address for delivery. And then after that, anywhere I used square to pay for something using the same card, they would email me a receipt. I complained and they played dumb and never did anything.
I just stopped using that card with square.
This literally just happened to me last week. I emailed them to ask them how to stop this:
Gah, I hate this service and will avoid renting on buildings that use it in the future.
Preparation H, they should practice some level of sensitivity with such information.
Hopefully exclude? By whom? At some point, somebody has to decide it was sensitive, by what standards? Does Bilt decide to not use it after they were already sold the data? Does the aggregator after already been sold it by the harvesting seller? Does the harvesting app reduce the appeal of their data by deliberately excluding the data? Does the harvesting app care to spend the money on doing that?
So paying by cash is the easiest way to generally avoid this?
Clearly you can decide not to use Bilt, but maybe you get caught out some other way (bank, ...) - too difficult to track the trackers.
That's what I do, but I assume some stores like Target also track you by Bluetooth, facial recognition, etc, and can correlate any past or future cash purchases if you use your credit card once for maybe a large innocuous purchase.
If you find the condoms overly sensitive you can try one of the "long lasting" versions.
Is that my personality or my looks? :-)
What if landlords could reach their grubby hands into the data firehose their tenants spew out? I can save 5% on some useless shit at X store, you say? Sign me up!
Bilt as a concept is the biggest pile of late stage enshittification horse shit I’ve ever seen.