As someone who recently moved to Washington, D.C., after three years in London and many more in Norway, and is currently playing the waiting game that is U.S. immigration, I received my social security number earlier this month. Applying for a bank account was next on my list.
How To: Buy a Pokemon Go Plus
Before I had completed the online application–and without ever submitting the form–my personal information had been given to a third party for marketing purposes. As I dutifully entered my details, including my full name, address, social security number and phone number, into the form, the website was quietly sending the information back to the bank using a few clever lines of code.
A close friend had recommended the brokerage and banking company Charles Schwab a few months prior. I was less than impressed by their weak password policy, which says passwords can be no longer than eight characters, no shorter than six and without any symbols, but my friend’s strong recommendation and the promise of a free security token for two factor authentication had me convinced that Schwab would be a good place to bank with.
I was halfway done with step two of the application when I realized I would be unable to complete it online. The form asks for a U.S. driver’s license, something I don’t have yet. After confirming this with a Charles Schwab employee through the live chat on the website, I closed the page and went to fill out the form manually instead. Little did I know that Schwab had already created a profile for me in their system, even though I never clicked the “save” or “submit” button.
The following morning, I received an email from Charles Schwab reminding me that I had not completed the online application. I ignored it. A day later, I received a phone call from Q & A Research, Inc., a marketing research supplier, telling me they were doing a survey on behalf of Charles Schwab and would like to ask me some questions. I hung up.
It reminded me of the story of how Facebook tracks what users type, even if they never post it (in reality, Facebook will only see that a user canceled a post, not what he or she had written). In some ways, this was my fault. I should have read the Privacy Notice, the Terms of Service and the disclaimer written in a small font. I should not have assumed that information would only be transmitted once I hit submit.
“This is not standard practice,” said the Charles Schwab customer service representative I spoke to on Wednesday, clearly unaware of the bank’s own Privacy Notice. “We don’t know how this happened,” he added after speaking to his manager. The representative went on to explain that he could update my profile to limit the sharing of my personal information.
I was surprised to learn that I already had a profile. Had I filled out the application by hand to begin with, and then ripped it apart and thrown it in the trash, Schwab would never have known.
“It could be that only contact details of ‘fleeing’ applicants are used to try and figure out why they fled,” says Joseph Lorenzo Hall, Chief Technologist at the Center for Democracy and Technology. “But the transmitting of certain elements of that form before submission, like social security numbers, seems especially dangerous.”
When asked to comment on this practice, Sarah Bulgatz, Charles Schwab’s Director of Public Relations, emailed me a screenshot of the disclaimer with a hand-drawn blue arrow pointing to the Privacy Notice. My followup email went unanswered.