Apple Pay isn't magic, and it isn't 'private'

Apple's new iPhone-based payment system may offer advantages, as will any similar product from competitors. But adding in a smartphone doesn't add privacy, it removes it.
Written by Stilgherrian , Contributor

"With Apple Pay, you can use iPhone 6 and iPhone 6 Plus to pay in an easy, secure, and private way," begins the Apple Pay security and privacy overview. Well, sort of. It depends on what you mean by "private". As with any commercial product, the brochure is glossier than the reality.

When it comes to security, Apple Pay is certainly a step up from using a raw credit or debit card number. Assuming, of course, that everything has been implemented correctly and is bug free. That happens all the time, right?

Much of the architectural work has been done in conjunction with banks and credit card processors. As explained in this infographic from MasterCard, the iDevice doesn't store the card number, but rather the device-specific Device Account Number (DAN). If some other device attempts to authorise a transaction using that DAN, it won't work.

If the device is lost or stolen, just that single device's DAN needs to be cancelled, not the card number itself. There's no need to contact everyone who had that card number. That's one of the real ease-of-use advantages, along with the potential for easy integration with other smartphone apps — not the idea that taking your phone out of your pocket, logging in, and waving it over an NFC terminal is somehow easier than taking a card out of your wallet and doing the same. Besides, a card never runs out of battery, and is still needed for low-tech merchants.

When it comes to privacy, Apple doesn't get to see what you bought, and the merchant doesn't get to see your card number. "Apple Pay doesn't collect any transaction information that can be tied back to you. Payment transactions are between you, the merchant, and your bank," says Apple's guide.

In fact, some merchants have complained that Apple Pay is too private. Well, too private for them. As US sandwich shop chain Panera Bread told Bloomberg Businessweek, Apple Pay users still have to swipe their loyalty card to be recognised. "Obviously, that's not where we want to be," Panera's executive vice president for technology and transformation Blaine Hurst said. "Why can't I just walk up to a cashier with my phone and all that information magically appears?"

But to call such a transaction "private" is to stretch the meaning of the word beyond breaking point.

The time, location, and value of your financial transactions are still known to Apple and to your card provider — and to every other business they might share that data with. The merchant knows what specific goods or services were purchased for that amount, but not who bought them. But all that is true only if no one does any data matching — either directly between the participants, or by providing the data to data brokers such as Acxiom, Equifax, Experian, or Datalogix, or by collaborating with any of the companies connected with the many, many data-logging apps already on your smartphone.

Given the volume of data being collected and shared these days, supposedly anonymous transactional data can easily be re-identified.

In a recent data-matching exercise, Anthony Tockar of Neustar Research analysed a database of New York's taxi journeys to find the home addresses of frequent visitors to Larry Flynt's Hustler Club. To find their names would be an easy second step. Just "working late", eh?

As International Business Times wrote in its report on this research, "It takes just one or two other pieces of information to turn seemingly anonymous tranches of metadata into precise and specific information about millions of individuals — and not just those who are famous."

In recent years, other researchers have found that they could re-identify 40 percent of individuals in a DNA study and re-identify Netflix users from their movie ratings.

Now add to this mix the facts that almost every retail business has security cameras covering their cashiers, and that face-recognition technology is getting very, very good.

Apple Pay may not give merchants any data that allows them to compile a log of everything that a particular customer bought, but their security systems can help. If the customer then happens to do anything in-store that provides a timestamped and geotagged log entry in a data stream that can be cross-matched, bingo! Anonymity disappears.

Businesses may love being able to do this, of course. But how will it stand up under increasingly tough privacy legislation, or what customers themselves will put up with once they figure out what's going on?

Either way, the idea that Apple Pay transactions are somehow "private" needs to die.

Editorial standards