cross-posted from: https://links.hackliberty.org/post/125466

My credit card issuer apparently never gets to know what I purchased at stores, cafes, & restaurants ā€“ and rightfully so. The statement just shows the shop name, location, and amount.

Exceptionally, if I purchase airfare the bank statement reveals disclosures:

  • airline who sold the ticket
  • carrier
  • passenger name
  • ticket number
  • city pairs

So thatā€™s a disturbing over-share. In some cases the airline is a European flag carrier, so IIUC the GDPR applies, correct? Doesnā€™t this violate the data minimization principle?

Airlines no longer accept cash, which is also quite disturbing (and illegal in jurisdictions where legal tender must be accepted when presented for PoS transactions).

Has anyone switched to using a travel agent just to be able to pay cash for airfare?

UPDATE

A relatively convincing theory has been suggested in this other cross-posted community:

https://links.hackliberty.org/comment/414338

Apparently itā€™s because credit cards offer travel insurance & airlines have incentive to have another insurer involved. Would be useful if this were documented somewhere in a less refutable form.

GDPR question still outstanding.

  • frog šŸø@beehaw.org
    link
    fedilink
    English
    arrow-up
    11
    Ā·
    1 year ago

    Seconding the guess that itā€™s so your card doesnā€™t get frozen. If your bank knows youā€™re meant to be in a specific place, theyā€™ll know transactions happening there arenā€™t because someoneā€™s stolen your card. It would probably be a valid exception to GDPR on those grounds.

    In fact, now you mention it, Iā€™m guessing this is why my credit card company never raised any issue with me using the card in London a couple months ago, after buying train tickets to London on the same card. I thought that was odd, given they regularly ask me for 2FA on transactions that arenā€™t unusual, but suddenly being halfway across the country wasnā€™t flagged as being even remotely suspicious.

    That said, I think the amount of information being given here does seem excessive. Just letting your bank know the destination and dates ought to be sufficient for security purposes. For data protection, it would be better if the airline said nothing, and your bank waited for you to tell them when and where youā€™re travellingā€¦ but how many people would remember to do that?

    • Link.wav [he/him]@beehaw.org
      link
      fedilink
      arrow-up
      7
      Ā·
      1 year ago

      but how many people would remember to do that?

      Every single person who has traveled has been advised to do this. ā€œPeople might forgetā€ is no good reason to mandate sharing this data. It should be opt-in, and itā€™s disgusting that itā€™s not.

      • frog šŸø@beehaw.org
        link
        fedilink
        English
        arrow-up
        7
        Ā·
        1 year ago

        Itā€™s been more than 15 years since I last travelled abroad, but Iā€™ve now got a holiday booked next July. It genuinely hadnā€™t occurred to me that Iā€™d need to tell the bank Iā€™m going, because I actually havenā€™t received any advice to do so. Itā€™s not as common knowledge as you think it is. Thankfully, Iā€™m now aware of the need to do so, so I will. But itā€™s not in any of the confirmation emails for the tickets, nor on the governmentā€™s travel advice pages (which I have checked, and started organising things like updating a couple of my vaccinations.)

        Nevertheless, I agree it ought to be opt-in, rather than mandatory. Everybody should get to make the choice, even if it means occasionally they get stranded abroad with no access to money.

        • Link.wav [he/him]@beehaw.org
          link
          fedilink
          arrow-up
          1
          Ā·
          1 year ago

          Exactly, this just tells us we need to do a better job about educating people. Many of the conveniences we enjoy come at the expense of personal autonomy and privacy, and in my opinion itā€™s never worth it.

          I recently traveled to Canada by road trip, and when I called my bankā€™s number I was surprised to learn that I donā€™t need to report things like this. This actually disturbs me because it shows that they must have some way of collecting sufficient data to show that I am traveling to a specific place at a specific time, and in my opinion my bank has no business knowing this unless I choose to disclose it.

          • frog šŸø@beehaw.org
            link
            fedilink
            English
            arrow-up
            2
            Ā·
            1 year ago

            I think what annoys me most is that I have been trying to educate myself on what I need to do before I travel, and so much necessary information just isnā€™t available in a logical place. Like why, for example, does my countryā€™s governmentā€™s travel advice page have some information (check vaccinations are up to date) but not others (check bank knows where youā€™re going)? Even for a decently intelligent person who proactively tries to educate themselves, it feels like a losing battle against poorly organised information.

            • Link.wav [he/him]@beehaw.org
              link
              fedilink
              arrow-up
              1
              Ā·
              1 year ago

              Part of the problem is that government agencies can never keep something in place long enough to even determine if itā€™s effective, so this is the type of situation that leads to

    • soloActivist@links.hackliberty.orgOP
      link
      fedilink
      arrow-up
      1
      Ā·
      edit-2
      1 year ago

      If your bank knows youā€™re meant to be in a specific place, theyā€™ll know transactions happening there arenā€™t because someoneā€™s stolen your card.

      Every bankā€™s AI-driven fraud detection system is different and non-transparent. Whenever my account gets frozen for ā€œfraudā€ and I removedĀ¹ at the bank over it, I ask WHY my account was frozen. The CSR guesses what happened (because apparently itā€™s such a secret the bankā€™s own staff is kept in the dark). This can be deceiving because bankers seem to be trained to propose their guesswork with confidence to thwart questions. I ask ā€œwhere in my terms of service agreement does it say I shouldnā€™t do [whatever the CSR thinks triggered the fraud sensors] & how can I prevent this false positive in the future?ā€ They can never answer that.

      Some banks donā€™t require travel notices and some do. The banks that donā€™t: how are they finding out my travel plans when I buy the ticket using a different bank? Most likely their fraud algo is (or tries to be) smart enough to not need to track you.

      It would probably be a valid exception to GDPR on those grounds.

      How is sharing purchase info with banks within the bounds of the airlineā€™s operational needs? The bankā€™s problem is not the airlineā€™s problem.

      (edit)

      1: woah, slur filter did a silent hit-and-run on my post. The word ā€œremovedā€ should be some form of ā€œcomplainā€ using a synonym that begins with a ā€œbā€.

      • frog šŸø@beehaw.org
        link
        fedilink
        English
        arrow-up
        2
        Ā·
        1 year ago

        The AI-driven fraud detection system is probably more accurate when the other transactions on the account support the questioned transaction. If thereā€™s a bunch of transactions in a city/country youā€™ve never been to before, the fraud detection algorithm can come to two conclusions: either you have travelled there, or someone has cloned your card. If thereā€™s a transaction showing you bought tickets to that city/country for the same dates that transactions happen within that city/country, thatā€™s evidence to support one decision over the other on the algorithmā€™s part.

        The prevention of crime and fraud is a valid exception to GDPR, and it being the bankā€™s problem entitles them to request the data from the airline/train company/whatever.

        Like I said, I donā€™t agree with the quantity of data being shared here, but letā€™s face it, if you travel to another place and use your card there, then your bank are going to know youā€™re there. If you use your card to buy foreign currency, theyā€™re going to know youā€™re going to that country. So as a general principle, I donā€™t think a travel company sharing the dates and destination really makes any difference.

        • soloActivist@links.hackliberty.orgOP
          link
          fedilink
          arrow-up
          1
          Ā·
          edit-2
          1 year ago

          if you travel to another place and use your card there, then your bank are going to know youā€™re there.

          Thatā€™s not the same bank that I bought my airfare with. The bank I use to buy the airfare with has no reason to know where I am. IIRC thereā€™s a stat that on avg Americans have like ~15 or so different bank/credit cards. What youā€™re saying makes no sense. The airline takes the liberty of giving a travel notice to just one of your dozens of banks, and what about the rest?

          If thereā€™s a transaction showing you bought tickets to that city/country for the same dates that transactions happen within that city/country, thatā€™s evidence to support one decision over the other on the algorithmā€™s part.

          I often buy a one-way ticket with one card and a one-way return with another. So not even one bank has the full picture. I typically leave those cards at home as well because they have poor forex rates. Yet this doesnā€™t trip fraud sensors on the cards I carry to the destination. The fraud sensors are tripped when I forget my ATM limit or incorrectly adjust that limit for the foreign currency.

          One bank that requires a travel notice doesnā€™t even accept that a trip would last more than 2 weeks. I call and say I will be gone 3 weeks, or 4 weeks, and they cannot handle it. They say ā€œthe travel notice will expire in 2 weeks so you have to call again when that time comes to renew your travel noticeā€. What I tell them directly carries more weight than whatever shows up on the transactions because they have no way of knowing what other travel arrangements I have. Yet what I tell them is not fully utilized.

          The other problem with your theory is travel notices are a recent development of the past ~10ā€”20 years, whereas itineraries have been shared with banks for as long as I can recall (~25+ years). Anyway, speculation isnā€™t cutting it. Solid info needed on why this is happening.

          • frog šŸø@beehaw.org
            link
            fedilink
            English
            arrow-up
            2
            Ā·
            1 year ago

            Iā€™m finding your hostility towards me to be completely unnecessary. Unless there is someone here that works for a bank, youā€™re not going to get a solid answer, only peopleā€™s best guesses. I have offered you the most likely explanation. Getting angry at me for that is not in keeping with the rules of the Beehaw community.

          • essell@beehaw.org
            link
            fedilink
            arrow-up
            1
            Ā·
            1 year ago

            Reading this response, Iā€™m compelled to ask

            Do you want an answer or just a space to br angry and rant?

            Do you have an answer in mind which youā€™re looking for and will react with hostility to anything which doesnā€™t fit with your expectations?

            • soloActivist@links.hackliberty.orgOP
              link
              fedilink
              arrow-up
              1
              Ā·
              1 year ago

              Do you want an answer or just a space to br angry and rant?

              Itā€™s all about getting an answer. Any rant that you think you sensed is at most an attempt to motivate a good answer.

              I should also stress that I donā€™t want bad answers. The same broken speculation has been posted multiple times in this thread and in the parent. Thus compelling me to repeat the flaws in that bad answer.

              Iā€™m confident at this point that I finally got a viable answer: insurance. But I might be tempted to press for more details because itā€™s still unclear how the GDPR compliance pans out. GDPR violations are rampant these days, so it could lead to an article 77 complaint. I still have to do a bit of analysis on that from the insurance narrative.

  • jarfil@beehaw.org
    link
    fedilink
    arrow-up
    10
    Ā·
    edit-2
    1 year ago

    Credit card purchases come with complimentary travel insurance, so it makes sense theyā€™d share the travel details with the bank in charge of that insurance.

    You most likely agreed to that disclosure both when signing for the card contract, the insurance contract, and the travel purchase.

    As others said, the bank ā€œcouldā€ also use the information to avoid blocking your card for potential fraudā€¦ but often thatā€™s a separate feature that you need to enable manually (default is to accept all payments).

    • soloActivist@links.hackliberty.orgOP
      link
      fedilink
      arrow-up
      5
      Ā·
      edit-2
      1 year ago

      The travel insurance sounds more plausible than the anti-fraud measure. I had not considered that. Although the question is how is that info sharing is arranged considering airline would not inherently care about my travel insurance or have a duty to inform my insurer.

      • jarfil@beehaw.org
        link
        fedilink
        arrow-up
        7
        Ā·
        edit-2
        1 year ago

        Airlines definitely care about your travel insurance: if your bag, or body (or a limbā€¦ the payout tables are kind of grim), get lost during flight, someone will have to pay for it. Airlines donā€™t want to be the ones to pay, so they have their own insuranceā€¦ but that insurer also doesnā€™t want to be the one to pay, so theyā€™ll want to have your bank-cardā€™s insurerā€™s information, who in turn will require your travel information in order to accept issuing the insurance (likely will reject it on travels to select countries)ā€¦ and thatā€™s how the information gets shared all the way.

        • soloActivist@links.hackliberty.orgOP
          link
          fedilink
          arrow-up
          1
          Ā·
          edit-2
          1 year ago

          Thatā€™s all plausible. But in the end the airline (their insurance) will be the loser, no?

          When a traveler has insurance they have some reassurance & comfort that the loss wonā€™t be theirs as they will file a claim. In my cases of lost luggage, the rules of the travelerā€™s insurance claim required me to still file a claim with the airline. The airline seemed to have the primary liability. Wouldnā€™t it be bizarre if the airline (who caused the loss) would get off the hook? My insurance just ensured I was compensated one way or another so long as I followed the rules and reported the loss to the airline. From there, wouldnā€™t my insurance work in their own interest to ensure the airline pays out? Surely my insurance must only be liable for benefits coverage that exceed the airlineā€™s responsibility (depending on how generous my policy is).

          Since an insurance company has the resources and legal muscle to ensure the responsible company pays out, I would expect it to /not/ be in the airlineā€™s interest to deal with another insurance company over a loss. Just about every time I had a loss without insurance, the airline was directly liable to me but they told me to pound sand. Every time IIRC. They wouldnā€™t get away with that against another insurer.

          Most of my cards are free with lousy policies that only pay out if I lose a limb or something like that. It was only when I paid for extra insurance that I got coverage that was useful.

          In any case, if you are correct, that implies if I get a payment card with zero insurance (a prepaid card?), then the flight details wonā€™t be shared, correct? Might be interesting to test that, but tricky because prepaid cards often donā€™t issue a statement.

          • jarfil@beehaw.org
            link
            fedilink
            arrow-up
            3
            Ā·
            1 year ago

            Airlines never pay, thatā€™s what they have insurance for šŸ˜‰

            The way it works, commercial air travel is highly regulated, with lots of laws regarding both safety and consumer rights. Airlines donā€™t risk having to pay for breaching any of it, instead they find an insurance company that will asses the company, estimate the chance of certain breaches happening, run their numbersā€¦ and gamble on asking the airline to pay a fee that they expect to be higher than what they expect to pay out the airline for its failures.

            When you put a claim against an airline, theyā€™ll send you away just so their insurer doesnā€™t raise their insurance payments. If you sue them, and winā€¦ the airline still wonā€™t pay, it will most likely be the airlineā€™s insurer (unless the airline loses their claim for the insurer to cover the costs of paying you, but that would be rare and kind of neglectful on the airlineā€™s part).

            When you pitch your own insurance company against an airline, itā€™s really going to talk to the airlineā€™s insurance company, if they arenā€™t the same company to begin withā€¦ and as luck would have it, both insurers donā€™t make their profits on whether they pay your claim or not (unless itā€™s something really egregious), but on raising the regular payments for the airline and your bank, so theyā€™re very likely to just grant your claim and raise their fees.

            if I get a payment card with zero insurance (a prepaid card?), then the flight details wonā€™t be shared, correct?

            Thatā€™sā€¦ a resounding ā€œmaybeā€.

            Prepaid cards come in more kinds than banks issuing them; some are linked to a main account, some are separate entities, some have a per-card accountā€¦ with a physical version, virtual, virtual physical, ā€œprint your own from a PDFā€ (not joking)ā€¦ VISA, MasterCardā€¦ with all kind of paybacks, premiums, and whatnotā€¦ all depending on the given cardā€™s contract, payment processorā€™s contract, general account conditions, general bank conditions. Some come with insurance from the bank, some from the payment processor, some donā€™tā€¦ but even then, the bank may or may not request or get your travel details, maybe as a ā€œstandard procedureā€.

            And some do offer online statementsā€¦ and sometimes the statements appear as a pre-statememt, then get completed with more and more data some days later.

  • Dotcom@lemmy.ml
    link
    fedilink
    arrow-up
    4
    Ā·
    1 year ago

    This is only a guess (and Still overreaching) but maybe so your card / account isnā€™t frozen due to unusual location?

    • soloActivist@links.hackliberty.orgOP
      link
      fedilink
      arrow-up
      3
      Ā·
      edit-2
      1 year ago

      Thatā€™s been suggested in the parent thread and another crosspost. Itā€™s the most popular answer but I donā€™t buy it.

      Why would the airline risk the liability of excessive oversharing of personal data for no benefit in return? Is the bank giving them a reduced transaction fee for sharing that data?

  • _edge@discuss.tchncs.de
    link
    fedilink
    arrow-up
    3
    Ā·
    1 year ago

    Remember that this community is a niche audience. Most people would probably find this convenient; you know easily which flight it is.

    Everything here is just speculation, but if you want one more: Airlines and travellers are early adopters of credit card payments. Some people use credit cards only for travel. It does make sense that the industry has better integration than your corner store.