Equifax Digital Marketing Ethics
Raising a red flag was one step, I’m now offering solutions. Will Equifax have the courage to act?
Raising a Red Flag
On November 18th, I published an article entitled “Equifax expose les membres de Desjardins à de nouveaux risques” — Equifax exposes Desjardins members to new risks. The long and technical article explained how the marketing practices of Equifax, their lack of transparency and apparent negligence could be considered by millions of its clients as an abuse on their right to privacy and unnecessary exposure to new risks. I felt this was especially important for the 4.2 million of Desjardins members who have seen their personal data leaked and are already on the edge, expecting a Damocles sword to strike at any time and see their identity be stolen. Given the current credit scoring offering in Canada, Desjardins didn’t have much choice but to send millions of its members toward Equifax identity theft protection service (and pay the bill for 5 years).
During my research I contacted the Desjardins security team as well as the Chief Privacy Officer of Equifax. I was not expecting Desjardins to be able to do much about it but wanted to keep them informed — to them, Equifax is a business partner and they pushed them hard because of language and capacity issues to onboard millions of new customers. I was not expecting much from Equifax — let’s say they don’t have the best of reputation when it comes to transparency and responsiveness — you can read the details in my previous article.
I also contacted journalists — but without the proper contacts and given the very complex and technical nature of the topic, it was not relayed. Until Tristan Péloquin, a journalist at La Presse, took the time to dig and understand the implications of my story. His article came out on December 17th: “Une ‘vulnérabilité’ d’Equifax inquiète Desjardins” — A “vulnerability” of Equifax worries Desjardins.
The result was a swirl of interviews on the radio, TV and more press coverage.
Nothing to reassure consumers; another chip on Desjardins’s shoulder; enough to get the attention of our elected officials and a few canned responses from Equifax…
Equifax Core Business
Whether we agree or not, Equifax makes money by enriching data about consumers and selling it. That’s what credit scoring companies do — the website Educaloi has an excellent intro on this topic.
I’m not a lawyer, but I wonder how Equifax can get away so easily while PIPEDA clearly stipulates consent; limiting collection; limiting use, disclosure and retention; accuracy and individual access. Equifax collects data about us without our consent, knowledge or right of regard (unless we pay), sell it without our permission and knowledge, makes us pay to review it and put roadblocks on our path if we want to fix errors… So much, in fact, that the Quebec government is working to enact new laws regarding credit scoring services.
Worse, as cases of identity theft multiplies around me — be it family, friends or colleagues — weak links are emerging in the false sense of security offered by Equifax service:
- There can be up to 30 days before your credit profile is updated since Equifax relies on the data being sent by banks and such — thus, the alert might be coming several days after the 1st suspicious activity;
- If the company happens to check the credit profile with TransUnion, Equifax won’t know immediately either;
- As exposed by the excellent Marketplace report on the CBC, credit scoring is a bit shady and not really trustworthy for consumers;
Case #1: Credit Card Fraud. Someone asked for a joint credit card at RBC using someone’s identity, with a spouse at a different address. The cards were mailed but luckily, the bank contacted the primary person on the card — who doesn’t have any business with the RBC — and the cards can’t be activated. Different address and no prior business should immediately raise a red flag in the banking system.
Case #2: Cell Phone Fraud. Purchase a new cell phone worth $1,000 using a false identity. In this case Fido (or Rogers) validated the identity and credit through TransUnion. When the thief received the Purolator shipping notice, they contacted customer support immediately and asked for a delivery to a different address — presumably because of last-minute travel or something like that. Fido customer support — as most — validated the identity using elements from the stolen identity. A signature was requested for the delivery of the Purolator packet — only a signature — not a validation of identity… so anything can be garbled and it will be OK. There are several weak spots here: Fido doesn’t have any responsibility if the financial info is fraudulent, they deliver with proof of identity. Purolator delivers and has no leverage to validate identity. TransUnion and Equifax are not in sync.
Don’t forget in the case of Equifax, consumers are the raw material, and their real clients are the businesses willing to pay a prime to access credit score information about those consumers.
Apparently, Equifax is handling Canadians data in such a different way and their answers during the government audiences which were held on November 21st were so vague and unsatisfying that Marwah Rizqy, elected representative with a background as a professor of tax law, had to chase them for a follow-up meeting. Coincidentally, this meeting was held at Equifax offices on the same day La Presse article came out. During that meeting, the following points were discussed:
- Security lock which prevents any further credit request in case of suspected or confirmed identity theft: why is this free in the US and a paid service in Canada? Why haven’t this flag been added to all Desjardins customers who enabled their account with Equifax as a proactive, more efficient measure than alerting after the fact and letting consumers fight to get it fixed? Apparently, Equifax accepted to enable this at no cost.
- Access to your credit score: why is this free in the US and a paid service in Canada? They seem to agree on this point too.
- Accuracy: offer a fast lane to remove bad credit entries when the consumer has a legal document confirming it was a fraud. Apparently, even with a filed fraud case with the police, the consumer still has to fight to get his/her record fixed. Worse, while we’re supposed to report to local police stations, they often discourage the victims from filing a complaint. On this point — why aren’t all fraud complaints to the police regrouped under the Sureté du Québec so real anti-fraud expertise could be developed from emerging patterns and arrests promptly made to discourage thieves who get it too easy! The law could be changed, but it takes time, and Mrs. Rizqy asked them to act immediately.
- Marketing audiences: she specifically asked to stop the practice of selling audiences and consumer data for marketing purposes. Equifax offers a full Marketing Solution Suite offering a wide range of capabilities:
- Aggregated Acquisition data;
- Servicing data “by providing instant alerts to changes in a customer’s employment status, address, or credit information”;
- Retention, in their own terms, “A customer address change might be a good opportunity to offer them a credit limit increase to help cover costs. A new credit card could present a chance to offer a new line of credit.”
If you want to understand the capabilities of what Equifax has to offer in this area, check the video below.
In this video, the specifically say, “Help you connect customer identities and give you a single 360-degree view of your customers… by enriching your data with our unique consumer economic insights”.
Equifax Answer to Journalists Inquiry
Let’s make a distinction between Equifax core business and Equifax marketing practice.
Here’s the canned response journalist François Desjardins from Le Devoir and others received to their request for clarification:
“Equifax implements a strong security and data privacy program. We assess all inquiries related to security and privacy with a view to resolving concerns in an efficient and timely manner.
Do you feel reassured? I don’t! Let’s decipher this a little bit more:
- First paragraph: this is a typical answer and any company would answer along the same line when asked about security.
- “data captured by the cookies is not linked to an individual” — this is actually not true, as we will see next. Maybe it’s not voluntary and just the result of carelessness or misunderstanding of the technology, but at least two trackers are tied to a specific individual — thus the importance of strong governance and being extra careful when including 3rd party code in the secured area of a website.
- “not sold to third parties” — agreed, Equifax doesn’t sell this data directly to 3rd parties, but they let 3rd party marketing aggregators collect the data and sell it. It’s akin to a locksmith unlocking the door to let the thief in, and then saying he didn’t steal anything himself…
Now that we have deciphered the official Equifax statement, let’s go one step further to specifically highlight where they fail.
Individual Data Leaked to 3rd Parties
In essence, Equifax insists they are not selling behavioural data and it is not tied to individual people. Which, as you will see, is simply not true.
When you are connected to your Facebook account, the Facebook pixel will precisely identify the user visiting the Equifax secure area. This is the c_user Facebook cookie and you can check it out by yourself using the browser debugger or any tool which reveals cookies used when you visit a web page.
Technically, the Adobe Analytics tracker is receiving a unique customer id in custom property c5 and custom variable v5. Another set of custom values are keeping the logged-in status (c11 & v11). This customer identifier can later be extracted from the Adobe Analytics tool and recouped with personally identifiable data Equifax owns — thus, merging behavioural data with specific personally identifiable information. Under PIPEDA, specific disclosure of such practice is mandatory.
Data Aggregators Enrichment
Furthermore, each of those 3rd party marketing trackers & aggregators are enriching profiles, admittedly anonymous at first, but the cumulative data, gleaned through a specific user visiting dozens of sites including those same trackers, ends up being so precise it can actually target a specific individual.
Under PIPEDA, a user id which can later be used to reconcile data to a specific individual is considered Personally Identifiable Information and thus, requires consent.
Taking a broad, contextual view of the definition of personal information, the Office of the Privacy Commissioner will generally consider information collected for the purpose of Online Behavioural Advertising to be personal information, given: the fact that the purpose behind collecting information is to create profiles of individuals that in turn permit the serving of targeted ads; the powerful means available for gathering and analyzing disparate bits of data and the serious possibility of identifying affected individuals; and the potentially highly personalized nature of the resulting advertising.
From the snapshot above, someone visiting any of the 4,582,760 websites inventoried by the BuiltWith service which happens to be including the AppNexus tracker (shown as adnxs.com above) would further enrich what this ad network knows about them. Those sites include Wayfair, Walmart, the Wall Street Journal and millions of others. AppNexus will create sophisticated marketing models allowing companies to target the customers they want to reach —which explains why you get bombarded with ads after visiting a given website.
On this latter point, when I was interviewed by Bernard Drainville on 98.5fm, Sonia Lebel, Minister of Justice, Minister Responsible for Democratic Institutions, Electoral Reform and Access to Information, listened and commented immediately after. A new legislation should be enacted after the Holidays, inspired by RGDP in Europe, to essentially say “no consent, no tracking” and force more transparency and user control when companies share behavioural data through 3rd party trackers.
To be clear: no disclosure, no consent, no possibility of opting out might very well be against the law. For those reasons, a complaint has been filed with the Office of the Privacy Commissioner of Canada.
Offering Solutions to Equifax
1. Limit trackers to a minimum
The secured, personal area of any financial website should be considered a walled garden. That is, when it comes to marketing, there is a clear distinction to make between the information publicly available on the site and the very sensitive nature of the financial information provided in the authenticated/logged-in section of that same site. Equifax does not make such a distinction — all the same trackers are found on both sides of the wall.
Remember, those trackers are not essential to the delivery of Equifax service to its users. As a professional in the field, this is an indication of a lack of governance and lax security practice.
From a pure security standpoint, each additional 3rd party script (tracker) represents a new weak link which could be compromised, either inadvertently collecting sensitive data or deliberately collecting any information available on any of the Equifax webpages — thus, name and address, date of birth, employment history, detailed credit information with the institution name, credit limit, renewal date, due amount, bankruptcy details…
A survey of the top minds in my digital marketing & analytics professional network (from Canada, the USA and Europe) is unequivocal:
The use of third-party trackers in a highly sensitive area of a website should be the subject of strict governance, tight security audit and kept to an absolute minimum.
In fact, managing all those trackers has become so complex that many companies are using what we call “tag managers” — a tool similar to a content management system for editing articles, but instead, specialized in administering all those trackers. Since Equifax uses Google Tag Manager and Ensighten, adding a rule to limit trackers in the secured area of the site should be a matter or minutes…
2. Disclosure and Transparency
Here, Equifax as an opportunity to show some leadership and reassure its users.
3. Tighten your Content Security Policy (CSP)
This last point is more technical and might be of interest only to people with a knowledge of web development security best practices. A simple check with CSP Evaluator, a tool provided by Google, reveals additional undue risks.
I asked security experts what they thought about this CSP and here’s a summary of their feedback:
- ‘unsafe-inline’ — according to Google’s web development fundamentals, “inline code is considered harmful”. Although it is common, it shouldn’t be allowed in a highly secured environment;
- ‘unsafe-eval’ — this one is even worse as it facilitates code injection, and although some tag managers require it for specific features, it can, and should be disabled;
- absence of ‘object-src: none’ — since Equifax still use the Adobe Flash plugin, which has security issues of its own, they can’t tighten this security aspect until this archaic tool is removed;
- the presence of multiple tag managers is generally considered an indication of a lack of marketing & security governance — namely, both Ensighten and Google Tag Manager are present, while Adobe Tag Manager is now defunct and still in the CSP whitelist;
- one entry still puzzles me — start.earthlink.net/channel/inc/js/ — which seems to be something not in use anymore and should be removed from the whitelist.
In a nutshell, what those points highlight is despite Equifax claims, some simple validations are pointing toward a lack of marketing governance and lax security practice.
The Courage to do it Right
Marketers like to claim they are “customer centric” and their consumer experience is a top priority. What they should realize is a great, positive customer experience begins with trust. As the saying goes, “once burned, twice shy.” After Desjardins’s debacle, consumers are already on the edge when it comes to Equifax.
Most of what I highlighted in my previous article and here do not pertain in the realm of legal obligations and Equifax can continue to hide behind empty phrases and blanket statements…
Or they could take simple and concrete actions to reassure their customers:
- establish clear rules and governance around data collection for marketing purposes and limit to a minimum data collection in the secured area of the website;
- be fully transparent about such practice and let the user opt out if they do not wish to be tracked, or better still, establish a “no consent, no tracking” guiding principle;
- enroll independent experts to audit and fix simple security issues and best practices which are unacceptable on a financial website.
Is this asking for too much? I don’t think so, and I hope Equifax will have the courage to act.
I will post additional info here as it becomes available.
- January 8: the Journal de Montréal reveals the Office de la Protection du Consommateur is making verifications concerning the contracts and practices of Equifax.
- January 11: La Presse reveals Equifax is making some changes as a result of this work. Kudos to journalist Tristan Péloquin who dug up the story and harassed Equifax to get some answers! Although they claimed — as any company would do — that security was a priority, in an official response they state “We take any requests or suggestions regarding security very seriously” but at the same time admit that “a tag called Tealeaf which was no longer active since a few years”… This only demonstrates their lack of rigour — an unused tag should not remain on a secured site! This further demonstrates their lack of governance and lax security practice leading to third party code left hanging with the potential to become vectors for security breaches… Nevertheless, this is a step in the right direction.
Disclaimers & Motivations
During some of the media interviews, I was asked if anyone sponsored my work:
- I want to state very clearly that nobody is sponsoring me and I’m not receiving any compensation for this work, which is my own independent initiative.
- I was employed by Desjardins General Insurance Group from 2006 to 2007 as a web architect and helped establish some of the digital analytics practice there.
- Later, as a consultant, I was involved with Desjardins in a digital analytics specialist role which ended in 2015.
That being out of the way, my goal isn’t to bash on Equifax or Desjardins. Just like all victims of the Desjardins data leak who were directed to Equifax, I feel powerless and frustrated by their corporate attitude and apparent carelessness.
My motivations are simple:
- Publicly callout digital marketer’s lack of ethics and malpractices when I see them, and only after having done my best effort to collaborate with them in private (ex. submitting to Equifax HackerOne, which was simply dismissed);
- Following the Desjardins data leak, and being myself, my family and my friends and colleagues victim of it, contribute in my own capacity and expertise to limit the risks associated with data leaks and identity theft;
- Educate consumers about the constant invasion of their privacy and what they can do to protect themselves;
- Educate marketers about their responsibilities toward the ethical use of data.
Please share your thoughts below or contact me in confidence at me@StephaneHamel.net if you work in digital marketing and would like to share some unethical and malpractice I’m sure you are witnessing around you.
Stéphane Hamel is a seasoned independent digital marketing and analytics consultant, innovator, teacher and speaker with a strong interest for user privacy and the ethical use of data.