My one request that would enable me to recommend this to my musician friends is an export feature, along with a promise of adequate notice before a shutdown of the app, to allow people to export their recordings in a worst-case scenario.
The one thing that may keep musicians using Apple Voice Memos despite your app seeming much better is that they often make a lot of recordings, and losing them all would be unimaginably tragic.
I actually mentioned in a thread about Plaid in 2018 that they sold transaction history to third parties, and the cofounder came onto HN to explicitly deny that [1]. I actually felt convinced they didn't afterwards, as I couldn't imagine such a direct and clear refutation if it were true.
As someone who has overseen our consumer privacy team over the past few years building out products like Plaid Link and Plaid Portal, I can attest this is a foremost priority for the company. FWIIW, I don’t agree with the allegations, and you can read our POV on this blog post.
Based on this, and the blog post, they clearly take issue with the term ‘sold’. Making the users data accessible via api to customers who’ve paid for access to said data does not constitute ‘being sold’, as far as their lawyers are concerned. The fact that 98 million users disagree is unfortunate...
The product was sold as infrastructure, and used as data collection, and 98 million users were not aware of that.
If you’re unable to reconcile why users of square cash would be confused when they hear their data is accessible through some service called ‘plaid’ for which they’ve never signed up, or given their data, then maybe you could start with defining terms as they would, rather than how you’d prefer they sound.
Having data in a database doesn’t make it yours, it’s the users. It was when it was in their bank, it is when you move it to your service and it remains when you provide it to someone else.
I replied in a few other threads on this. We don't make the user's data accessible via API outside of the app the user connected. Your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app.
We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
Thank you for the response — I know you're likely very restricted in what you can say here, but:
You just settled a claim that you sold customer transaction histories, and from the article linked, the plaintiffs' lawyers claim that you have agreed to implement meaningful business practice changes to remediate these issues.
(1) If you've never sold transaction histories, why settle a lawsuit alleging that you sold transaction histories?
(2) What meaningful business practice changes could you be making if there's no issue to begin with?
(I'm relying on the article here as a source of truth).
You’re right that I can’t write much (legal, PR team say hello).
The bottom line point is, we don’t sell data and that’s not the main allegation. The main allegation is that people didn’t understand that we were part of the flow of connecting banks to apps. We disagree.
Before 2017, there was a whitelabel experience of Plaid that didn’t say “Plaid”, didn’t have the Plaid logo, etc. We still stand by our belief that our disclosures at the time were more than adequate. But it’s not something we want to have protracted litigation around.
The reality is that our experience today is vastly different (and has been for a while). As for “what meaningful business practice changes could you be making if there's no issue to begin with.” Like most companies, we’re always making improvements to our experience -- today we have a consent pane that makes our role clear, a portal for people to manage their data, etc.
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps. [1]
This is allegedly from the lawsuit. I can see your perspective — that it made sense to settle because of the privacy accusation, but you still deny the other accusations. I understand that perspective, though as I'm sure you can understand, it's hard to know for sure based on the allegations and the settlement.
Pre-2017 Plaid was awesome. You were able to just feed in a username and password of a bank account you collected with your own UI and it would spit out its transactions.
IANAL and have no affiliations to Plaid. My takeaway from the article and [0] is that Plaid violated privacy laws because they provided insufficient disclosure with respect to the collected data, not that they are selling data to third parties.
(IANAL either) I understand and agree that part of the issue is that they, allegedly, underhandedly collected this data. My question is focused around the potential selling of that data, which took place according to the lawsuit and was likely the reason to collect the data.
From the article you linked:
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps.
> My question is focused around the potential selling of that data, which took place according to the lawsuit and was likely the reason to collect the data.
They would kind of have to be idiots to do so, to be quite frank.
Up until like a year ago, their baseline product was $500 / mo plus $x / user after 100 users (iirc) with a 12 month contract.
Plaid has basically no competition, is worth billions and was almost acquired if not for an anti-trust suit.
I am not sure how Plaid or its founders would benefit financially by betraying the trust of their customers and their customers' customers by getting a few cents per record out of it.
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps.
People's hatred / mistrust of Plaid stems for a misunderstanding of what Plaid is.
Yes, Plaid does """sell""" that information... to the app that you willfully gave permission to, information like cash flow, debt, types of debt, etc.
Oh, also, if people are so terrified of Plaid, they should write to the Congresspeople and ask them to write a bill to force banks to write & provide REST APIs. The lack of banking APIs is the only reason Plaid exists and has to resort to scraping or storing banking information.
> Oh, also, if people are so terrified of Plaid, they should write to the Congresspeople and ask them to write a bill to force banks to write & provide REST APIs.
Why REST? Yes, I’d certainly rather call rest APIs than, say SOAP APIs, but do really want Congress specifying that much technical detail?
I haven't used Plaid and I haven't read the litigation, but it seems the following scenario may have happened:
1) Users use Plaid to buy/sell with a variety of vendors and banks
2) Vendors and banks were aware that specific users were buying /selling because they were buying/selling their products
3) Users consented to #2 because they were buying/selling their products
4) Plaid provided aggregated reports that said "5% of your customers also shopped on Amazon"
I don't have the time to read and research exactly what happened. I see you settled for a large sum. Thus, I don't believe you. We've all been burned by companies that claim one thing and do the exact opposite. It doesn't matter if legally they are stating things accurately. What matters is how we, a mere human, would believe the plain English phrases used to be construed.
Hope you have success and I have no ill will towards you.
Did you pull all transactions on plaid auth requests? Did you store that data to build out your risk score product? You’re standard customer(one verifying their account for an ACH pull) more than likely didn’t know all their transactions were being stored and mined. They just wanted to fund their robinhood account. That is the issue.
Not to be nit-picky, but is that data(or derivatives of the data) gifted, given, bartered for, or otherwise sent to parties that are not (plaid, user bank, connected app)?
Neither here nor there, but I just used Plaid for the first time yesterday to pay for the downpayment on my Tesla. It was a really nice, seamless experience.
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
I worked at Plaid from when it was less than 50 people to when it was a little over 100. There was no selling of data going on when I was there in any form (anonymized, aggregated, or otherwise). More generally, it doesn't make sense for Plaid to sell data. They already make a huge amount of money on the API. Why jeopardize that? In terms of the settlement size, it actually seems like peanuts to me in comparison to the size of Plaid and the number of affected people. I mean it basically translates into 60 cents a person. This seems more like a payoff to the class action lawyers, enough to make it worth their while but basically nothing for their "clients."
That's just not at all true. If you've ever worked in / around law you'd understand how it's less about right and wrong and more about risk management. Non guilty parties settle all the time. (I have no idea if that is true in this case or not) but simply the idea that they settled for $$$ amount means they're guilty is just false.
As an engineer that's had to advise corporate legal on how to look at various things I can assure you that most of it is just risk mitigation and reward. From lawsuits to contracts, it's all the same stuff. That's just how legal people think. I don't think it goes any deeper than that.
How much did they settle for? I don't see that in the article. Just because they were sued for $58M doesn't mean that the settlement amount was anywhere near that!
A legal settlement over a lawsuit is the epitome of "if legally they are stating things accurately", how can you possibly conclude that their settlement relates to how you, a mere human, believe the English phrases to be constructed. One explanation is dismissed because it touches on supposedly irrelevant legal details yet your belief is based entirely on another legal detail. It sounds like you've made up your mind already regardless of what the "plain English" circumstances could be.
This really sounds like you're just doubling down without really responding to anything directly. You say you disagree with the allegations - why do you disagree with them? I understand you probably can't speak to this for legal reasons, but this vague rebuttal is worse than saying nothing at all. It just sounds like typical corporate PR, which makes me automatically assume you're lying.
I don't know the details of this case so I have no strong opinions, but this response makes me trust you less, not more.
I’m guessing this is the relevant section stating that summarized anonymized data is shared.
We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research.
We do not sell or rent personal information that we collect.
I'm betting you are right. It may be that they sold aggregated data, and that they aggregated based on factors that might have been too granular in some situations.
Perhaps something like "all users who are in the UK and logged in last Sunday morning". Something like that could have been a pain to sess out for each instance of data sharing, in addition, if you "settle in court", you can also set court-approved definitions of what "anonymously aggregated" means.
Facebook claimed repeatedly that they had never sold user data, and it turns out this was true: Instead, they had bartered user data for increased access or other privileges elsewhere.
I'd like to hear a broader statement on the specific phrasing in this article: « the fintech firm passed on personal banking data to third party firms without user consent ».
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
I see a lot of suspicion in thread below, which I very much understand.
I'd like to take a minute though to express my frustration with the banks that refuse to supply any sort of limited APIs. How is it 2021 and I still can't give my tax person read only access to a specific year of transactions? Plaid and others trust issue would be so much easier if the banks had any sort of control over sharing aside from none or authorized to do anything.
I don't understand something. Please, help me understand:
"According to the lawsuit, filed Thursday in California federal court, the plaintiffs alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and use that information to gain access to and sell their transaction histories. Allegedly, these actions occurred without users knowing about Plaid’s role is a variance of “deceptive tactics.”"
So, the lawsuit is for selling the transaction histories and you say you never did it.
Why do you settle for $58M if you never did it rather than go to court so that they present proofs that, according to your explanation, must be false?
I am not convinced.
Or, the simpler explanation you just lie here to us because you can. But you settle to not go to court because you know you can't lie yourself out of loosing.
While I have you here, as a developer of a financial product myself and wanting to use something to let my users connect their bank accounts to my product via plaid, let me tell you sir that your pricing strategy sucks. There is no way for a developer to pay for plaid use on per user basis and your service cannot be used without having to pay like minimum $500 to you every month even if I have like 10 users. So basically your pricing is hostile towards startups.
Sorry you got hit by that! I work at Plaid -- most of Plaid's APIs can be used without a $500 monthly minimum contract but a few of them do require it -- we know this is a pain point and are currently looking into how can make pricing on these products friendlier to small developers.
The cofounder was telling the truth (or, at least, nothing in the lawsuit implies that he was not).
The plaintiffs in this case are claiming that when they linked their bank accounts to PayPal/Venmo/etc using Plaid they didn't realize what they were doing, or that it's somehow unfair that Paypal/Venmo/etc got their banking data (despite knowingly inputting their credentials into Paypal/Venmo/etc).
Paypal/Venmo/etc is not a third party in that case. They're the party that the customer was knowingly interacting with.
A third party would be an unknown / unrelated data broker. Ie, the cofounder is claiming that they don't turn around and resell data to anyone other than the app that the customer was deliberately using.
The "using Plaid" part of what you're saying confuses me. My reading is that the plaintiffs are claiming that they signed up for Paypal or Venmo directly, linked their banks account, and were unaware that behind the scenes this meant their data went to Plaid, and that then Plaid both gathered data from this and sold the data.
If that's accurate - if the plaintiffs were just trying to use Paypal + their bank account, and only coincidentally using Plaid because Paypal used Plaid - then any data being captured and stored by Plaid does sound extremely fishy. I'd want them to just be a bridge to let info flow between the bank and Paypal, not store any of that themselves too. That part seems sketchy even if they never sold it - I still don't think they should keep it in the first place.
The relevant section is on pg 16, under the heading "Plaid Sells and Otherwise Exploits the Unlawfully-Obtained Private Data".
The suit alleges that "Plaid has admitted that it routinely sells the consumer banking data it collects. At a minimum, Plaid sells the data it obtains from consumers’ accounts back to the very app providers,
including the Participating Apps, who use its services. [40] Plaid calibrates its prices based on the
type of information being sold. [41]".
IANAL. The suit alleges that Plaid sells the data, with the specific proof that Plaid sells data to the authorized app (Paypal or Venmo in your example above). The plaintiffs do provide proof in the suit that Plaid sells the data to third parties, but suggest that Plaid might, since they already sell the data to the app that users authorized.
At risk of misrepresenting their argument, the suit seems to claim that Plaid doesn't do enough to give consumers (think average non-tech savvy person) enough of a heads up on what's happening behind the scenes. According to the suit, a consumer using Plaid doesn't understand that they give banking credentials to a third party (Plaid), which uses the credentials and "sells" data to the app that is being connected to the bank.
The above seems consistent to what the Plaid CTO wrote. I haven't seen anything that indicates Plaid sells your data to unrelated third parties. That said, I agree with the suit - Plaid should do a better job of making it clear exactly how your banking information is going to be used.
So, in other words, they're selling my data, just not to third parties. So when I go to click "connect to Plaid", now whoever I'm connecting to suddenly has every single transaction from my bank/credit card/whatever I just connected.
So still a privacy nightmare, just a slightly different one.
What's so hard about not selling my data at all, and not collecting any data except for what's absolutely necessary to connect A to B?
>then any data being captured and stored by Plaid does sound extremely fishy
I've integrated with Plaid's API (a long time ago), and this doesn't sound fishy. Plaid's API is pretty comprehensive and it would have PayPal's job to unlink the connection after the verification took place. Plaid gives you a "token" representing the user that can be used to further look up information in their account - such as new transactions. If PayPal had naively enabled the usage of those APIs, then it's not surprising Plaid stored that data.
For example, if you (the API client) didn't want to store any information except for a user token (similar how you might store tokens with Stripe's API), then every time you needed to lookup the client's account number you would call Plaid's API to retrieve that data (which, by definition, they would be storing).
As a customer, though, that still sounds very dismaying to me.
If I'm linking my bank to paypal to send money back and forth, I don't want: (a) paypal getting transaction history, (b) a third party company hanging on to those credentials, (c) that third party company getting any view of transactions either. I just want Paypal to send/retrieve money.
I thought Plaid just translated "different bank acount APIs" to a dev-friendly one. If they're using that to collect a lot of data THEMSELVES from customers who just wanted bank interop... that's bad. Nobody "using" Plaid is intended to give this intermediary company all that info.
I'm linking my account to Paypal because I (thought that) I trusted Paypal. I never knew I was actually giving all this shit to this other company too.
(In my case, I've used routing number/checking number because they seemed to require handing over less privileges than my full password, and this certainly seems to reinforce my skepticism about using the "sign in to your bank" password auth for linkage.)
>If I'm linking my bank to paypal to send money back and forth, I don't want: (a) paypal getting transaction history, (b) a third party company hanging on to those credentials, (c) that third party company getting any view of transactions either. I just want Paypal to send/retrieve money.
100%, which is why I think this lawsuit is valid. That said, even though I don't believe Plaid sold any data, a lot of people brought this up as a concern to using Plaid. I don't consider it shady behavior, because I don't think Plaid ever misrepresented their capabilities to their clients. In other words, PayPal knew Plaid would be storing this data, and used their reputation to provide legitimacy to Plaid. In my opinion, it was PayPal who was irresponsible with your data.
> Plaid has settled a $58 million class action lawsuit over claims that the fintech firm passed on personal banking data to third party firms without user consent.
and selling transaction histories:
> the plaintiffs alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and use that information to gain access to and sell their transaction histories.
For what it's worth I haven't read the actual lawsuit yet, but would love a link if it refutes the article.
I wrote a post above on my take but TL;DR - I think that the suit is mostly alleging that Plaid doesn't do enough disclosure of what's happening behind the scenes. It suggests that Plaid might sell the data to unrelated third parties, but doesn't support it with any proof. It does support itself with proof that Plaid "sells" data to the app that is being connected to the bank.
> certain illegal acts (like breaking into certain websites, illegally obtaining documents, etc.) should be legal if done for the purpose of proper journalism
This isn't the case in any country and almost certainly should not be.
In some countries, a journalist is generally free to publish anonymously sourced information, regardless of its source (which may have been a hack), and report on that information. Journalists are never allowed to hack websites. Hacking websites isn't legal.
Making some level of allowed-hacker as long as they're labeled a journalist would be crazy, as it would (1) result in the aforementioned semantic debate over who is a journalist, (2) would be the antithesis of privacy to have hackers that are allowed to hack you legally.
I think one of the reasons behind this proposed change is keeping up with changes in what it means to be a journalist.
In the UK, public interest has never been a defence. And given the increasing role that nation states are having in leaking stuff to journalists (even political parties, Labour used documents that were leaked by Russia at their conference in 2019 iirc...ofc, they were totally misleading, which was the point), it is reasonable to ask where the line with espionage actually is.
> If a stranger mentions being into crypto but then does not actually seem to know much about it, consider that they may simply be fishing for a specific type of victim.
Or, more likely, they're just trying to impress you and find common ground! I've seen this many times on dating apps but have never been drugged.
A lot of this advice is great, regardless of whether you're into crypto, but this point is a bit much.
This is quite a bit of misinformation. From the article:
> The account has also shown a preference for cultural conservatives in its “likes”, which these include ... Roger Scruton, a man known for making a career out of his prejudice; and Leon Krier, a disciple of Hitler’s chief architect Albert Speer.
Roger Scruton was knighted for his contributions to public education [0] and helped establish an underground academic network in Soviet-occupied Europe. He was also one of the best contributors to the New Statesman which I suppose is now cancelling him?
Leon Krier was in no way a disciple of Albert Speer. Speer's only mentioned in the footnotes of Krier's Wikipedia article [1] because Krier wrote a book about Speer where he asked, “Can a war criminal be a great artist?” [2]
It seems that the problem to this writer is conservatism as a whole, and of course these accounts are conservative! The whole point of the Twitter accounts is pro-conservation!
I agree with you that your comment wasn't condescending like the above commenter suggested, but disagree about modern reactor designs. They'll always carry this risk.
Sure, reactor design has changed since Chernobyl in various ways that help mitigate it, but what about Fukushima?
Fukushima was devastating, and the result was the NRC asking US reactors to reconfirm their flooding and earthquake preparedness. I don't know of any measures taken in European countries.
As climate change progresses, there could be some disastrous consequences, and it's unfair to say that the skepticism is outdated.
This isn't to say that nuclear is worse than coal (it's not), but that it isn't just handwaving.
I think that's exactly what the above commenter was saying in: "European nuclear advocates really don’t have a satisfactory political response to Chernobyl and Fukushima."
If a country experiences a nuclear accident like Chernobyl or Fukushima, your "number of casualties is lower than if we moved to coal" argument won't work. Cold numbers won't beat emotion.
Edit: On downvotes, it's very demographically consistent of HN to not believe or want to hear that emotions rule over cold numbers for many people in the world. I'm not saying that coal is better than nuclear (it's not per the numbers), but you need a satisfactory answer when a disaster happens, and rationalizing the deaths of thousands of people as "a preferred alternative to more deaths over time" won't cut it.
It’s more like cold numbers won’t beat lobbying. It’s not “if we moved to coal”. It’s “coal definitely killed more people than Chernobyl every few months for the last 100 years and is now literally burning the planet down, but somehow that’s OK.”
Yes, and that being OK is the magic of how emotions work! That's the exact valid point being ignored.
If you don't have a better response to a catastrophic nuclear disaster than "well, it killed people but coal definitely killed more people over time," then as the commenter said, you really don't have a satisfactory political response [1] to a nuclear disaster.
You're acknowledging the difference in our emotional response between gradual deaths over time versus a nuclear accident, but then hand-waving it away as irrational and unworthy of response, and ignoring that those irrational people form the majority of voters in the country.
[1] A satisfactory political response is one that will keep public opinion positive towards nuclear energy after a disaster.
I think degrees are remaining a requirement because a hiring manager and recruiter at a large company are risk averse.
There's an old saying: "Nobody ever got fired for buying IBM."
It basically means that, if you use IBM for something and it doesn't work out, you can tell your manager "who could've guessed — it's IBM!", and you'll be mostly off the hook. If you were to use some promising new startup, even if it's more likely to do a great job, the fault is squarely on you if it goes wrong.
Similarly, when hiring an engineer, the recruiter and hiring manager can explain away a bad hire to upper management by saying "what a fluke, they have a degree from Harvard!", while they would be in a tougher situation if they made a bad hire and that person had no degree.
I agree completely. We just can't imagine doing things differently.
Fun anecdote: when I was 16 (with a couple years of experience as a developer) I was working for a company on some PHP codebase and they hired someone with a master's degree in computer science to work on it with me.
10 minutes after the first meeting he set his Skype status to "HELP: can anyone teach me PHP programming"
Parent comment was responding to a comment that used the term "male." Responding with equivalent phrasing and saying "female" in that context makes a lot more sense.
My one request that would enable me to recommend this to my musician friends is an export feature, along with a promise of adequate notice before a shutdown of the app, to allow people to export their recordings in a worst-case scenario.
The one thing that may keep musicians using Apple Voice Memos despite your app seeming much better is that they often make a lot of recordings, and losing them all would be unimaginably tragic.