Everyone knows your location: tracking myself down through in-app ads

(timsh.org)

Show context

inahga ◴[02 Feb 25 17:31 UTC] No.42910118[source]▶

There are quite a few interesting tracking flows out there.

My rent is paid through a company called Bilt.

I discovered that when I shop at Walgreens now, Bilt sends me an email containing the full receipt of what I bought like so:

    > Hey [inahga],
    >
    > You shopped at Walgreens on 12/1/24 and earned Bilt Points with your
    > Neighborhood Pharmacy benefit.
    >
    > Items eligible for rewards
    > TOSTITOS HINT OF LIME RSTC 11OZ
    > $3.50
    > 
    > +3 pts
    > TOSTITOS RSTC 12OZ
    > $3.50
    >
    > +3 pts
    > Other items*
    > EXCLUDED ITEMS
    > $0.07
    >
    > *May include rewards-ineligible items and/or prescriptions.

Ostensibly (hopefully) it would exclude sensitive items, plan B, condoms, etc...

I'm curious how this data flows from Walgreens to my rent company, but maybe I'd rather not know and just use cash/certified check from now on.

replies(19): >>42910141 #>>42910150 #>>42910255 #>>42910258 #>>42910275 #>>42910307 #>>42910604 #>>42911346 #>>42911365 #>>42911455 #>>42911597 #>>42911711 #>>42911897 #>>42911933 #>>42913328 #>>42914952 #>>42915737 #>>42922787 #>>42928562 #

curiousthought ◴[02 Feb 25 17:48 UTC] No.42910258[source]▶

>>42910118 #

This is called Level 3 data, and any merchant can choose to provide it for a reduction in the transaction fees they pay.

Here's a small comment thread from a few months back: https://news.ycombinator.com/item?id=41213632

replies(5): >>42910579 #>>42910666 #>>42910909 #>>42910955 #>>42911765 #

1. uoaei ◴[02 Feb 25 18:29 UTC] No.42910579[source]▶

>>42910258 #

Is there any documentation on this to read further? I.e. what the different levels contain and how much on average is the cost reduction for the merchant.

replies(1): >>42910819 #

2. devmor ◴[02 Feb 25 18:59 UTC] No.42910819[source]▶

>>42910579 (TP) #

Here is implementation documentation from Mastercard about l3: https://na-gateway.mastercard.com/api/documentation/integrat...

The cost reduction is very small, it’s applied to interchange fees. I’ve been directly responsible for implementing this functionality on payment gateways for multiple processors because it helps reduce fraud holds as well.

replies(2): >>42911341 #>>42915446 #

3. uoaei ◴[02 Feb 25 20:10 UTC] No.42911341[source]▶

>>42910819 #

Separate question, what are your ethics around the surveillance of Americans' economic activities by private actors? What "rights" are relevant in this space and which do you subscribe to?

I'm not going to debate you about anything, I just don't get the chance to ask insiders any of these questions.

replies(2): >>42912197 #>>42912981 #

4. chgs ◴[02 Feb 25 21:50 UTC] No.42912197{3}[source]▶

>>42911341 #

Do you think there are different ethical concerns when dealing with non Americans?

replies(1): >>42912310 #

5. actionfromafar ◴[02 Feb 25 22:04 UTC] No.42912310{4}[source]▶

>>42912197 #

Also a great question.

6. devmor ◴[02 Feb 25 23:26 UTC] No.42912981{3}[source]▶

>>42911341 #

My ethics are “this is unequivocally wrong without consent”.

Thankfully my work was on payment products that serviced businesses and government entities, so I did not really have to deal with that moral quandary.

However it gets muddier in other spaces as well. There are types of cards, like HSA/FSA that require something similar to level 3 data called IIAS that is used to determine what parts of your purchase are eligible. In the parts of the systems I have worked with, this is covered by HIPAA, but I have no idea if there are “clever” methods to sneak that data out of the chain elsewhere.

7. no_time ◴[03 Feb 25 06:09 UTC] No.42915446[source]▶

>>42910819 #

Is this data requestable via a GDPR takeout?

searching for “mastercard level 3 data takeout” and such bring up the same 5 pages that are not relevant.

↑