Using your phone as a mobile bank teller? You may be risking your privacy

Tweet

Online banking has become so popular that most people never have to leave their home to manage their finances.  In fact, it has become a fairly reliable way to manage one’s money.  But what about mobile banking?  How does it vary from banking online?  And what effect does this variation have?

Initially, mobile phones, particularly smart phones, were used to check account balances, monitor transactions, and at most, transfer funds between accounts.  A number of banks, however, now have mobile applications that allow users to deposit checks through their phones and conduct activities once performed only by bank tellers.  Mobile banking, which is commonly performed on a user’s cellular phone, is convenient, easy, and typically free, but unfortunately, it may significantly infringe on users’ privacy.

Mobile banking can be used as a fingerprint to identify people accurately.

Online banking, which is commonly performed on a user’s personal computer, requires users to divulge personal information.  This inherently carries some security risk, but that risk generally does not involve revealing one’s entire identity.  That is one way in which online banking differs from mobile banking.  A new study published by researchers from Harvard and MIT, among other institutions, suggests that mobile banking “can be used as a ‘fingerprint’ to identify people with a striking degree of accuracy.”  While private information may be divulged when using the internet to conduct online banking, precise geographic location of the user is not as easily revealed as it is with cellular phones, especially smart phones with built-in GPS.

The majority of people who use mobile banking do so to check their bank statement or transfer funds from one account to another.  According to a survey conducted by the Federal Reserve, this activity increased significantly from 2011 to 2012, with twenty-eight percent of all mobile phone users using mobile banking in the last year.  Although mobile banking is becoming more popular, there is one thing many users are not willing to do: using phones to make a purchase at the point of sale still remains extremely uncommon.  In 2012, only six percent of mobile phone owners reported using their phones to make a purchase.  That is a slight rise from 2011, when only two percent of users stated that they had used their phones to make a purchase.

Over half of the participants in an FTC survey had no interest in ever using mobile banking because of security risks.

A report titled “Paper, Plastic…or Mobile? An FTC Workshop on Mobile Payments” (pdf) indicated that although mobile banking may be increasingly popular, over half of the participants interviewed as part of the workshop had no interest in ever using mobile banking.  Many were skeptical of doing so because of security risks, which they believed outweighed the benefits.

While the more technologically minded mobile phone users might see these fears as irrational, the above-mentioned study published by Harvard and MIT confirmed these fears.  The study indicated that anonymized cellphone location data exhibit patterns of behavior that could be used to identify a person.

The researchers “were able to ‘uniquely identify 95 percent of the individuals’ so long as they had hourly updates showing cellphone location and could measure it against four distinct ‘spatio-temporal points’ on a map.”  Think about buying something from the App Store on an iPhone.  About one-third of the billions of these apps access users’ geographic location.   If these apps are used frequently enough and one’s location is distinctly revealed on a map, it is likely that the user could be identified.  In the area of mobile banking, this could be dangerous.

When using a mobile phone, one truly becomes mobile.

When using a mobile phone, one truly becomes mobile, and this mobility is easily tracked, something to consider carefully when using mobile banking or making a payment directly from a phone.  This could mean something as simple as using a Starbucks app to buy a cup of coffee or using an app directly provided by a bank to manage accounts. There is a good chance that these and other apps are tracking geographic locations and can be used easily to gather information from bank accounts.

The Harvard and MIT study gathered data on 1.5 million people over a fifteen-month period, using people’s geographic locations.  The data showed, for example, “where users worked, where they shopped, where they went to relax on the weekends, where and when they left the country and from which airport they departed.”

The U.S. Department of Justice argued that police should be able to access phone location records without a warrant.

Naturally, many people are uncomfortable when presented with the fact that private details of their lives can be detected and disseminated via their mobile devices.  Unfortunately, very few states have addressed these accompanying privacy issues, and the federal government is also playing catch-up.  In 2012, the U.S. Department of Justice argued that Americans have no reasonable expectation of privacy over the location data revealed by their mobile phone, stating that police should be able to access phone location records without first obtaining a warrant.

Earlier in 2012, the Supreme Court unanimously decided United States v. Jones (pdf), which restricted the police’s ability to use a GPS device to track criminal suspects.  The decision, however, did not address how the government can use information accessed by other modern technology for surveillance purposes.

Justice Scalia issued a limited ruling, stating that obtaining electronic surveillance without having to physically enter one’s property may still be an “unconstitutional invasion of privacy.”  Unfortunately, there was no definite ruling on anything other than GPS surveillance physically attached to a suspected criminal’s vehicle.  While tracking someone using their geographic location on a mobile device might be risky and the resulting evidence may be suppressed, it was not ruled as something that is, without a doubt, unconstitutional.

Broader privacy bills are now being passed that will make it state law to obtain a warrant before gathering cell phone location data from carriers.

In the past year, privacy bills with a broader reach than the mobile banking context have been considered and even passed in some states.  Sweeping mobile privacy legislation was considered by the Texas legislature in its most recent session.  A bill increasing the requirements for obtaining a warrant in order to access a suspect’s emails was signed into law, but a bill requiring a warrant for cell phone location data, tower location data, and possibly even pen register data failed to advance.

The proposed legislation would have established procedures for a user’s mobile data to be released; law enforcement agencies would have to show probable cause that the records would disclose location information that would provide evidence in a criminal investigation.  A judge would then have to issue the warrant assuming probable cause was shown.  The bill would also require that cell phone carriers report how often they receive requests from law enforcement and how much information they provide.

The status quo remains in Texas, and law enforcement agencies can simply contact cell phone carriers and request real-time data in order to immediately track suspects or request older records to see when and where calls were made.  No warrant is required.

Maine and Montana are the only two states in the nation to pass a bill requiring a warrant to obtain location data from mobile devices.

While the Texas mobile privacy bill will have to be revisited in the future, Montana and Maine just recently passed similar bills.  They are the only two states in the nation to pass a bill of this sort.

Maine’s legislation states that law enforcement cannot obtain location data information with first obtaining a warrant from a judge.  Furthermore, the warrant is valid for only ten days, ensuring that data information will not continue to be obtained without probable cause or for purposes other than those specifically indicated in the warrant.  The bill also requires that notice be given to the suspect whose location data is being obtained.

Montana’s new law is worded similarly, but does not limit a warrant to only ten days.  It does make it clear that any evidence obtained in violation of the law is not admissible in a civil, criminal, or administrative proceeding and may not be used as probable cause in an affidavit to obtain a search warrant.  The law states that a violation will result in a civil fine of no more than $50.

If states start acting, then Congress may need to enact a uniform rule.

Eleven other states currently are considering similar bills, but it will be a matter of time before any significant changes are made.

“What the states do on this issue will certainly influence what Congress does,” said Gregory Nojeim, senior counsel at the Center for Democracy and Technology.  “It’s clear to me that because the location of a cell phone is mobile and because phones cross state lines routinely it’s probably that if the states start acting then Congress would need to enact a uniform rule.”

A uniform rule would certainly be ideal, and there have been some initial efforts made in Congress.  But in the meantime, cell phone users should think twice before giving in to the conveniences of mobile banking.