Is PayID look-up no more a breach of privacy than a phonebook?

Being able to find someone's name and mobile number through the New Payments Platform PayID system shouldn't be used as a function creep, but it is, and NPP Australia says it's the user's choice to opt-in.
Written by Asha Barbaschow, Contributor

The company in charge of monitoring Australia's New Payments Platform (NPP) issued a statement last week in response to concerns that its PayID look-up function is an invasion of privacy after "a person on Twitter" posted screenshots of him entering random mobile numbers and returning PayIDs registered to real people.

"We are aware that a person on Twitter has performed a small number of PayID look-ups and tweeted these details publicly in a bid to start discussion about PayID and privacy issues," the statement reads.

"While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt-in to create a PayID."

The NPP went live last week and allows the transfer of money from one person to another in near real-time, using an email address or phone number rather than the traditional BSB or account number process via a PayID.

A PayID is a unique, user-specific number and when making a payment through the new method, the name registered to that PayID will appear as part of the confirmation process.

"PayID's payee confirmation step was designed to address scam and fraud risks, as well as the risk of mistaken payments, providing more reassurance during the payments process," a spokesperson for NPP Australia told ZDNet.

"It's anticipated that the PayID name display will help to reduce the number of mistaken payments, as well as some cases of fraud."

However, this means that a person can be found by entering their mobile number -- something already possible through the search bar on Facebook, as one example, despite it being somewhat immoral and creepy.

Landline and business phone numbers have also been available for decades in the White and Yellow Pages directories, so is this PayID function that different to a telephone directory?

According to Steve Wilson, vice president and principal analyst with Constellation Research, it does have its differences, such as that it is more a reverse phone book, which allows for someone to be found with their number.

"Historically we have been allergic to reverse phone books, and mobile phone numbers have been more or less unlisted. But yes, you can Google many mobile numbers and get their owner and yes, 'wild west' reverse directories are all over the web," he told ZDNet.

The practical impact of PayID lookup is probably mild, but Wilson said it is catching a few people off-guard to see mobile numbers converted into names.

"Nevertheless, this is a whole new class of personal information flows, and we are using mobile phone numbers for yet another rather novel purpose," he added.

"But let's not be blasé about this. It's called function creep and is a prima facie privacy risk. We are using the phone system for things it was not intended for and might not be fit for."

Although not responding directly to a question asking if Privacy Impact Assessments were conducted to map information flows from PayID, the NPP Australia spokesperson said that when PayID was developed, privacy issues and requirements for compliance with privacy laws were "extensively considered, alongside fraud and security, by a range of committees comprising experts from within the participating financial institutions and the wider industry".


What is Australia's New Payments Platform?

The New Payments Platform officially launched on Tuesday, and apart from boasting near real-time funds transfer, it also promises room for innovation in Australia's financial services sector.

NetApp warns privacy is not synonymous with security

The California-based storage and data management company said it's important for organisations to draw distinctions between security and privacy, as one won't protect against the other, especially in a courtroom.

Government agrees to up Medicare card privacy and security controls

Scrapping PKI certificates in favour of PRODA is one of 14 recommendations the Australian government has accepted following a review into health providers' access to Medicare card numbers.

Privacy Foundation: Trusting government with open data a 'recipe for pain'

The Australian Privacy Foundation wants the government to develop security controls around sharing open data and provide the agency charged with investigating data misuse with 'adequate' resources.

Big data privacy is a bigger issue than you think (TechRepublic)

When it comes to privacy, big data analysts have a responsibility to users to be transparent about data collection and usage. Here are ways to allay users' concerns about privacy and big data.

Report: Despite privacy concerns, 43% of consumers offer personal data in exchange for discounts (TechRepublic)

A recent study from [24]7 found that consumer willingness to share personal data with companies was tied to opportunities to save money or resolve problems faster. Here's what your business can learn.

Editorial standards