IP: Citibank's meaningless privacy notice: [risks] Risks Digest 21.38

[David Farber <dave@farber.net>]

>Date: Thu, 3 May 2001 02:03:04 -0400 (EDT)
>From: VASSILIS  PREVELAKIS <vassilip@dsl.cis.upenn.edu>
>Subject: Citibank's meaningless privacy notice
>
>Citibank(South Dakota, N.A.) sent a leaflet to its customers to "...tell you
>how you can limit our disclosing personal information about you."
>
>Observe what great choice Citibank customers have:
>
>     [...]
>
>     Categories of Nonaffiliated Third parties to whom we may disclose
>     personal information
>
>     Nonaffiliated third parties are those not part of the family of
>     companies controlled by Citigroup Inc.
>
>     We may disclose personal information about you to the following
>     types of nonaffiliated third parties:
>
>     * Financial services providers, such as companies engaged in banking,
>       credit cards, consumer finance, securities and insurance,
>
>     * Non-financial companies, such as companies engaged in direct
>       marketing and the selling of consumer products and services
>
>     If you check box 1 on the Privacy Choices Form, we will not make
>     those disclosures except as follows. First, we may disclose information
>                       ^^^^^^^^^^^^^^^^^
>     about you as described above in "Categories of Personal Information
>     we collect and may disclose" to third parties that perform marketing
>     services on our behalf or to other financial institutions with
>     whom we have joint marketing agreements. Second, we may disclose
>     personal information about you to third parties as permitted by law,
>                                                     ^^^^^^^^^^^^^^^^^^^
>     including disclosures necessary to process and service your
>     Citi Card account.
>
>     [...]
>
>     Sharing with Citigroup Affiliates (Box 2)
>
>     The law allows us to share with our affiliates any information about
>     your transactions or experiences with you.
>     Unless otherwise permitted by law, we will not share with our
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     affiliates other information that you provide to us or that we
>     obtain from third parties (for example credit bureaus) if you check
>     Box 2 on the Privacy Choices Form.
>
>     [...]
>
>The options the clients are given are non-sensical as the bank retains the
>right to share information "as permitted by law" with just about everybody.
>
>Let's consider Box 1. Assuming that Citibank does not break the law, if the
>customer does not check the box, Citibank can share personal information
>with third parties. If the customer checks the box, Citibank "may disclose
>personal information to third parties"
>
>So whether Box 1 is checked or not the effect is the same unless Citibank
>breaks the law in sharing information with third parties.  Only in this case
>checking the box makes a difference. If the box is checked, the customer
>essentially asks Citibank to stop performing these illegal activities.
>
>Let us now consider box 2. Regardless of the state of the box, Citibank can
>share with its affiliates "any information about [Citibank's] transactions
>or experiences with [the customer]."
>
>The information that box 2 is supposed to control is information "obtain[ed]
>from third parties". Again if the box is not checked then this information
>may also be shared, while if the box is checked personal information may
>still be shared unless prohibited by law.
>
>Great choice!
>
>On their web site "http://www.citibank.com/privacy"; Citibank claims:
>     "6. We will tell customers in plain language initially, and at
>         least once annually, how they may remove their names from
>         marketing lists. ..."
>
>If the language that was used in the leaflet is "plain" then Citibank must
>assume that all their clients are lawyers.
>
>In fact the whole purpose of the leaflet is to *pretend* that Citibank cares
>about the privacy of the customers, while retaining the right to distribute
>the personal information of their customers in any way they like.
>
>I have no problem with that - if I want privacy I can open a dollar account
>with a European bank and enjoy the protection of the EU laws.  I *do*
>object, however, to being handed a document like that which treats me like
>an idiot.
>
>Vassilis Prevelakis, University of Pennsylvania



For archives see: http://www.interesting-people.org/