Who Owns Your Financial Data?
That’s the question we should all be asking. Now that Mint has finally launched and joined Wesabe, Geezeo, Buxfer and a few others in the personal financial web service space, it’s time to discuss what it means to take your personal financial data out of the hands of your bank and credit card company (who thinks they own it but do not), and put it on the web.
Wesabe, a Union Square Ventures portfolio company, has a Data Bill Of Rights.
- You can export and/or delete your data from Wesabe whenever you want.
- Your data is your data, not ours. Our job is to help you understand and act on your data.
- We’ll keep all of your data online and accessible for as long as you have an account. No “archive access” charges.
- Any data you want us to keep private, we will.
- If a question comes up not covered by these rights, we will answer it remembering that your data belongs to you.
That’s a good start. But I think its time to discuss this at length. And there’s no better place to do that than in the blogs. Here’s some questions to ponder.
– who owns the metadata you and others create about the transactions that come into the system?
– is it better to let the service do the tagging or is it better to let the community to do the tagging of the transactions?
– should the tags be shared and if so, when and with whom?
– where should your login and passwords be stored?
– can these services be hacked?
– is personal identifiable information (PII) being stored with the data?
I am sure there are more questions. So now that we have a full fledged category here with at least four high quality companies in it, let’s figure out the rules of the road.
IMO companies need to have full access to do whatever they want with metadata.
It’s your data. It’s your choice where you store it. You have to assume that there service will be hacked at some point. Much more sophisticated services have been – there’s will be too. What happens to your data once it’s been exposed?Your login and passwords should NEVER be stored on the server.Security by obscurification is not security. There is only one way to do this and that is to be open about how things work. That’s unlikely to happen, so ultimately you take a risk on having your data exposed. The key is to understand the downside risk and mitigate against it.All of these services rely on one thing – Trust. Once that trust is broken, however it’s done, it will be incredibly hard to resurrect it. All you have to do is ask yourself – what if everyone reading this blog suddenly got to see the data I stored on Wesabe? Now it may not affect you totally because you’re well diversified – however for people who aren’t it becomes an immediate violation of their personal space. That’s tough to recover from.Also – here’s one more thought. What if the Government want to inspect my online financial records (or lawyers in a divorce action) – what are my rights?
I sort of think this is a mute put. Those who are concerned about who owns what will not use any of these services. I believe all these services have some sort of bill of rights. Once these services get an FDIC type guarantee adoption will increase. I really like MINT and had a good feeling about them. I believe MINT will become a leader in this space. Security is important. Once breach and its over for all these services.
Hi, I’m Jason, CEO of Wesabe (a USV portfolio company). Thanks Fred for starting this conversation.Peter,The question you raise about trust is really important…because sometimes too much trust can be a really bad thing.At Wesabe your passwords are NEVER stored on a server. We maintain your credentials on your hard drive – decoupling the credentials from the data associated with them. We also don’t pass your credentials onto a data middle man in order to pull data out of FIs (both Mint and Geezeo share your passwords with third parties).You also correctly raise the issue of privacy (which we think is just as important as security). We protect our member’s privacy by building a “privacy wall.” Here is how it works:The data that you submit to Wesabe is divided into two categories: public and private. Public data is associated with your public persona (i.e., your public user name and user photo, if you have provided one) and consists of tips, goals, comments, and other data visible by other users. Your private data, which consists of your bank accounts and transactions, is only connected to your public persona by your password, which is not stored by Wesabe. Therefore, your private data can only be connected to your user account when you are logged in; when you log out of Wesabe, the connection is completely severed and your privacy protected.Steve Kane,I think in many ways you prove Fred’s point. In your description of data ownership you showed the way banks uses an individual’s data to derive value. I think that what Fred is asserting, and we agree, is that the users should have at least as much control over their data as the FI.Put another way, consumers own they money they put in banks, and they *should* own the data associated with the money. Banks, as long as they remain solvent, can make use of the money and the data. However, at the end of the day the money and the data belong to the consumer.
I’ve been in the private beta of Mint for a very short term (for whatever reason it was only a week after tooling with the beta that it went live at the TC40). My bank isn’t on the service yet and so the only card I have is my CC. For Mint to become a leader in the space over Jason and Wesabe they have to get the vast majority of banks (obviously they know this).The tagging system was something I commented to the company on; it should be user focused in that I want to label certain purchases as what they are. The concept is simple, everything I buy at the local gas station isn’t fuel, so I want to tag it as food or entertainment, etc. I think it makes sense to give users fundamental guidelines for tagging but also open it up for their discretion wherever possible. I’m extremely excited about services such as this because I’m such a lousy accountant (I’ve never balanced a checkbook and have overdrawn my account a handful of times since college a few years ago.) This space is going to be big for my generation (Y) and MUCH MUCH bigger for the generations younger.Security and privacy are obviously huge concerns, but for the most part most of the people I know are completely comfortable with buying/posting info online because our banks and CC companies are fraud protected. That said, one slip up and I’m off the service for good.
Anybody willing to give all their online banking passwords to a startup to store on their servers deserves whatever pain they have coming.Any startup that asks people to do so is the reason for the mindset where people give up all security for a little convenience. That’s what has led to every friggin’ security fiasco.Even a financial institution has no reason whatsoever to store your password. (Just a hash… you enter your password, they hash it and compare to stored hash, and never store the actual password, and the hash cannot be easily reversed). And a bank at least has a franchise to lose, unlike an other-people’s-money startup.(Wesabe is doing this part right, I just want proper reports/budgets!)
I completely agree with Druce on this. I’m a pretty adventurous user of online services and have been for some time, but giving a statup the keys to the kingdom (my financial usernames & passwords) just sounds nuts to me. I’ve worked at and built a startup and have consulted to large banks and insurance companies. You can say what you want about the dynamism of the former versus the latter, but when it comes to my money, I’ll take the controls and conservatism of large financial services companies. And, yes, I know they occasionally lose a laptop full of social security numbers. I can only image Mint as a service offered by large, branded banks.
(to Robert I would add… no bank or CC company is going to guarantee your security when you post your password online… and good luck trying to recover money when it’s missing from your account)
I’m not as focused on privacy as maybe others are. Yes, I want my financial data to be private, but I trust Jason and Wesabe (and other companies like Mint) to do this right, even if they have to perfect it over time.It’s not that I don’t trust the bigger banks and credit card companies to do the same, but what they’re obviously not doing is making it easy for me to track, understand, and analyze what is a very fast flowing transaction stream in my bank account. Do you know that Wells Fargo, where we bank, still won’t let you put your transactions or outgoing bills into categories? (Tagging? Forget it.)My wife and I together are probably 80% card swipers and only 10% cash and 10% checks. Between us, we probably have 300 card transactions per month. Wesabe, which I use, has been a life saver in allowing me to see that data through tags and graphs in a way that I can make sense out of it. This has been the hook for me so far.I’m also excited about the social component. Right now the benefit is more general: we’re doing it together. But I would love to see how information and resources could be pooled to make people wealthier and all around happier and make the banks work harder for their money. Wesabe could become that kind of platform.
Mint has a similar “Bill of Rights” under our “How Mint Keeps You Safe” link: http://mint.com/safe.html—-How Mint Keeps You Safe 1. Your data is secure. Only you have access to your data on Mint. 2. Your data is always private. Your personal information is never sold to anyone. 3. Your data is yours. You can take it with you or remove it anytime you want. 4. Mint works for you. Mint’s advanced software identifies personalized ways to save you money, avoid fees, and decrease financial risk.Mint believes not only in simplifying your financial life, but in having a readable and comprehensive privacy and security policy anyone can understand.Mint keeps your data private, and limits collection of any personally identifiable information. * We require only a valid email address for login registration for the service. Notice that our signup page never asks for your name, address, or SSN. * Your personal information is never sold to third parties. You will not end up on someone else’s email list. * You can delete your account at any time.
a start… but for every mission statement that says ‘only you have access to your data’, somewhere there are a bunch of sysadmins laughing their you-know-whats off…But thanks for clearing that up – I’m so relieved that you aren’t asking for my SSN! just usernames and passwords to all my online financial institutions…
Aaron,Thanks for participating in the conversation. I believe that Mint will delete a user’s account, but does Yodlee (data middleman that actually pulls member account data from FIs ) delete the account as well? Do you require your aggregation vendor to adhere to the same standards that Mint promises?
Steve Carpenter, the CEO of Cake Financial here. Glad to see Jason and Aaron posting and taking the same thoughtful approach to privacy and security that we do at Cake. Cake is built like the banks and brokerage firms you already use and trust. You can see our specific policies at https://www.cakefinancial.c….At Cake we have three core principles when it comes to our members’ information:1. Members are in Control of Their Information2. State of the Art Security Infrastructure and Policies3. No-Hack AssuranceCake uses the same data classification system that is standard for financial services; i.e., public, private, and secret. And then we attach policies to each classification.Public – no restrictionsPrivate – should only be shared with the user who owns that data, but exposure would not incur a financial lossSecret – financial loss would occur if data was exposedWe believe in our approach and systems so much that we will reimburse any Cake member in the unlikely event that they experiences a financial loss as a direct result of our negligence. I do not believe anyone else does this.
Great topic. But in addition to trust and ownership of financial data there is another issue to consider: one would normally expect a financial software to get the basics of math. Not so with Mint! They just promised me that I can save $35,977 by switching to CapitalOne: http://www.xmlaficionado.co…Not a joke – I’ve posted actual screenshots!