EFF Calls Out Payment Processors for Not Publishing Transparency Reports

Rainey Reitman lays out the case for why payment processors such as Stripe and Paypal need to start publishing transparency reports that detail how often law enforcement agents are requesting data from them, and how often they are giving law enforcement data about users. To be honest, before reading her article I would have assumed that payment processors were already doing this since transparency reports are such a common feature today.

Payment processors like Stripe, Paypal, Bitpay, and Coinbase are the intermediaries that allow you to support your favorite websites, send donations, and make purchases online. They’re often privy to details of your financial life, which can be deeply revealing. Your finances can say a lot about your daily habits, your political orientation, your physical location at different moments in time, your associates, and your health concerns. Given how sensitive this information is, you might assume that law enforcement agents must show probable cause to a judge and receive a search warrant before accessing financial records. But you’d be wrong. Financial data is frequently obtained through a less stringent process, such as a subpoena, a 314 (a) request, or a National Security Letter, none of which require review from a judge before being sent to the financial service provider. Furthermore, the financial industry is already heavily regulated and laws currently mandate that various financial institutions, from banks to money transmitters, must keep extensive customer records and proactively report information about large or suspicious transactions to the government. Over the last two decades, the volume of these reports has grown rapidly, now surpassing millions per year. In effect, thousands of companies have been deputized to bulk collect and report reams of private financial information to the government.
. . .
Tracking transparency reports year over year is vital to the public’s understand of government efforts to surveil and censor. Analysts can use these reports to learn a lot: Are requests for user data increasing in particular sectors? How many accounts are impacted, and are all those accounts bundled into just a few requests? Are payment processors resisting certain government requests, or complying with every one?

Ideally, payment processors would choose to embrace even more transparency. For example, we’d like to see a commitment to publicly report on government requests that don’t come with an official subpoena, such as when Cook County Sheriff Thomas Dart violated the First Amendment by bullying credit card companies to shut down an account. We hope that financial companies would detail their process for handling government requests and include a process for account holders to appeal those decisions. We urge payment processors to report on how many Suspicious Activity Reports they file annually and how many unique customers those reports relate to. It would also be extremely helpful for payment processors to report on requests that may originate outside of the government, and to provide aggregate numbers on how many accounts are frozen and shut down in a year that aren’t about fraud.

Leave a Reply