> Somehow Chrome autopopulating credit card fields got transformed into me having a Google Pay account.
If you give a company your information in one department, another department will invariably use it. See also: Facebook using the phone number you put in for 2FA for targeted marketing [1].
Chrome card autofill was always stored via a separate Google API, which is why you need to input the CVV to autofill the card number and can't just pull it from your local sync database file. You've always had a ""Google Pay"" profile, it's just now in a dedicated screen.
It's worth noting that this is exactly what GDPR is meant to stop. Specifically, if they take your data they need consent and they need to be upfront about what they're going to use that data for. So if they say "Hey, would you like us to store this data for auto-complete" and then take it and use it to create a google pay account, then they don't have consent and can be fined.
Corporations treat fines as cost of doing business. In order to actually be effective, there need to be mandatory minimum prison terms for C-level staff who greenlit a particular program.
Depends. If you make the fines company-changing, then they can work.
I'm also all for throwing C levels in jail ALONG WITH the board as well. They want to benefit and sign off on choices of the company? They can also hold said responsibility on illegal stuff.
I do agree that there needs to be more personal accountability, although I think the bigger issue here should be people in the finance world. Some of the fines have been quite large and do serve as a deterrent. H&M was fined 35 million EUR, which is a sizeable number even for a firm their size.
I wouldn't be surprised if that "or" clause was added specifically to kill one person post box companies that only exist to carry the risk. Big Tech is very good at throwing empty shell companies at problems that involve paying money, like taxes.
lol the old Google and it's mission statement i wonder if it ever followed that vs. it was all PR that many fell under it's spell. I surely did then I was invited to demo my invention/tech to Google ATAP and whoa it was a huge spit in my face type experience and similar to this MIT student's experience https://news.ycombinator.com/item?id=18566929. Hers was worse as they blatantly patented her work after her interview without her knowledge and consent. Yet they got caught.
I am avid DDG user and advocate ever since realizing wow Google stomps on all the dreamers it inspired.
Goodness gracious, "I demo'd my work to $BIGCO and they stole it". Imagine my surprise. This has been going on since the start of the PC era. I don't condone it in any way, but trusting $BIGCO is like trusting the mafia; don't do it, or have a private army (lawyers, gunmen, doesn't matter).
lol i went out there with a provisional patent filed which is a waste of money you later learn cause you need a similar warchest to your opponent.
My point is Google's motto/PR was "Don't Be Evil," and that was just a ruse and her experience helps prove that as well prompts users to be disenchanted by them who also were sold and bought that same crap.
Further I am more then happy to tell my story and more importantly her story with evidence to warn those who have Google's stars in their eyes to demand millions before taking a meeting!
Except Google never automatically opted users into Google Latitude, so it is not at all comparable to what pg says happened with Google Pay.
> And the privacy watchdog said users of Latitude were not informed that Google tracked their movements to enhance its database of Wi-Fi information
This looks like they are confusing two different things (Latitude and Location Services, though maybe Latitude required Location Services to be enabled). Are iOS users warned that getting their location on iOS at all is used to enhance Apple's database of Wi-Fi information? The difference is that on Android, this is opt out with an explicit prompt at device setup, and on iOS, you can't even opt out. Which is more evil? https://news.ycombinator.com/item?id=21708157
> This looks like they are confusing two different things (Latitude and Location Services, though maybe Latitude required Location Services to be enabled).
The Google Latitude case also resulted in an actual fine levied. Your stance is that this fine was all because the regulatory body "was confused"?
No, you're confused about that because your article mixed up Street View and Latitude claims. The fine for Latitude was for processing location data collected from French users in France, which requires filing with the French government, not for any nonconsensual data collection. https://larevue.squirepattonboggs.com/google-street-view-and...
It was absolutely for nonconsensual data collection. From the very link that you provided:
> The CNIL held that since it was carried out without the knowledge of the data subjects, the collection of data using the “Google Cars” or the mobile phones of “Google Latitude” users was carried out unfairly and therefore in breach of article 6.1° of the French data protection law.
And if you read the article, the complaint is that Latitude used the data illegally collected from "Google Cars" to perform its service, which it considered an unfair advantage. Latitude itself did not collect any data without user consent.
> In order to implement this service, the company used the same vehicles used for “Google Street View” – the “Google Cars”, equipped with 360° cameras and sensors to enable different types of data to be collected.
If there were any nonconsensual data collection in Latitude, you would expect to see other fines or Google changing the service. Neither happened. On the other hand, there were other fines for Wi-Fi data collection from the Street View cars, and Google did make fixes to it in response.
I am not sure why you continue to misrepresent this case. Using Google Car data was only one of the privacy violations, the other was mobile phone data.
I will post the quotation one more time:
> The CNIL held that since it was carried out without the knowledge of the data subjects, the collection of data using the “Google Cars” or the mobile phones of “Google Latitude” users was carried out unfairly and therefore in breach of article 6.1° of the French data protection law.
Notice the whole "or the mobile phones" section, which comes after the Google Cars section which you are pretending is the only pertinent section?
And I am not sure why you keep pretending there was any nonconsensual data collection from the phone, quoting the article author's poor wording instead of the actual claims brought against Google. The article specifically describes which data was nonconsensually obtained by the cars. Can you tell me which data was nonconsensually obtained from phones? Look at the numbered claims.
Edit: I can't respond because you've made this thread too long. Once again, reread the numbered claims that CNIL brought against Google. None of your quotes are supported by the claims. (Technically, you're misinterpreting the first quote in your comment below, which is about data collected for Latitude, not data collected by Latitude. To avoid making mistakes of interpreting the author's interpretation, simply read the numbered claims.)
> Can you tell me which data was nonconsensually obtained from phones?
This is clearly explained, multiple times, in the article that you yourself linked to:
> This time, the CNIL decision, dated 17 March 2011, concerns data collected for the implementation of the “Google Latitude” service, which enables geolocation of users that have a Google account and a “smartphone”.
> The users’ phones themselves since they are used for the purposes of geolocation.
If you are claiming that no phone data was collected, then how do you explain this quotation which I have now quoted three times:
>>> The CNIL held that since it was carried out without the knowledge of the data subjects, the collection of data using the “Google Cars” or the mobile phones of “Google Latitude” users was carried out unfairly and therefore in breach of article 6.1° of the French data protection law.
Although you might not like it, the use of your location to improve the database of access points on iOS is carefully anonymized and thus practically harmless and not evil. It’s comparable to Google using your location to build its traffic information if you navigate using Google Maps. If they did it anonymously which I haven’t investigated but doubt.
I have not seen any cases where this has happened which suggests that either the data is available more easily somewhere else or isn’t available at Apple or Google.
(Googler, opinions are my own). I work on payments, but I don't have intricate knowledge about how autofill and "google pay" accounts work.
I think the confusion here is around having a payments profiles and Google Pay. Looks like we started calling your payments profile now having a "Google Pay account".
There is Google Pay (the app for tap-and-pay, along with P2P payments), then there is having a Payments Profile (which apparently we're now calling Google Pay, because that's not confusing), which you use for buying things on Google's properties.
> When you’re signed in to Chrome and you enter your payment method into an online form, Chrome may ask if you want to save your payment info in Google Pay. If you accept, your payment information is saved in Google Pay. If Google Pay doesn’t support your payment method, Chrome may offer to save it locally on your device.
The Google Pay app (used for Tap-And-Pay) has its own activation process for being able to use a card, as it requires a 2FA process (depending on your bank).
I got bitten by a strange variant of this the other day. I tried using Lyft (which I'd done in the past on other phones), and on Android it uses "google pay" with seemingly no other option.
Even though I had (somewhere, somehow) entered multiple cards into one of these google payment systems previously, none of them were actually usable for "tap to pay" purposes. I never cared about this fact because I have a Garmin watch which implements its own tap to pay.
It turns out that Lyft required that I have a "tap to pay" account set up. Upon requesting a ride, I received an error stating that none of my existing Google Pay methods were valid. The only thing I could do at that point was to register one of the cards that Google already had on file for "tap to pay," which in turn required that I complete the provider MFA enrollment process.
This meant that I had to sit on hold for 10 minutes and give them some personal information before I was even able to request a ride with Lyft. Which sucked, because I was tired and wanted to get home.
The UX was completely terrible here. I don't know if Uber would've been the same way, but I want to nope right out of this entire stupid ecosystem.
I think this is done as a way to do "in app" purchases that don't flow through Google. Tap-to-pay cards are effectively single use (due to the cryptogram that gets passed with it), it won't store the card with Lyft.
The other way Google does integration with 3rd parties is the "Pay with Google" button on websites, that will vault your card on file at Google into stripe or braintree, then the merchant can use that for a transaction.
Both of these methods move the liability of the payment onto the merchant (Lyft in this case).
"Enables a new option to upload credit cards to Google Payments for sync to all Chrome devices. – Mac, Windows, Linux, Chrome OS, Android, Fuchsia"
They've really ramped up the "Google" in Google Chrome these last few years. The "save payment" nag box was annoying before, now I'd move it firmly into the dark pattern region, as it attempts to convince you to move your payment into their payment services not just saved locally.
The fact that there is no "never ask me again" option for that save payment dialog seems like nefarious UI 101. How could a billion dollar company make such a rudimentary UI mistake in a flagship product? Well, they probably didn't make a mistake, they're just getting worse as a company.
Meanwhile, I am blocked from reading any more of that twitter thread by the uncloseable twitter sign up nag screen. What an antagonistic web!
As another example of increased Google services integration in Chrome whether you like it or not -- I have been trying to figure out how to turn off the "login with google" prompts everywhere -- the relevant flag in Chrome has not done it.
Ironically, this may be what finally drives me back to Firefox!
Google Pay seems to share its data with payments.google.com and by extension Play Store, Play Movies and other services.
I bet that's where his "signup" came from - although every time I want to add a card to Google Pay on phone/watch I need to go through a tedious signup process involving my bank and SMS tokens, so I find this tweet very suspect.
There's multiple forms of "Google Pay" and people seem to be confused about this. You are talking about adding a card to tap-to-pay, and therefore generating a tokenized device account. That requires verification as you are essentially "creating" a "new" card.
"Google Pay" is also the name of the peer-to-peer transfer service Google has (had?) which accepts debit and credit cards and allows you to pay others. This only uses standard address verification.
"Google Pay" is also the name of the payment processing service Google uses for their own services, like the Play Store. Adding a card here also only uses standard address verification.
Data is shared between these three systems. If you have already registered cards with 2/3, they will be pre-populated when you try and add a new tap-to-pay card, and at that point you do the SMS verification.
>There's multiple forms of "Google Pay" and people seem to be confused about this.
>Data is shared between these three systems.
I understand the point you're making, but if the three systems share the same name, and they all share data between themselves, then for all intents and purposes it's one system.
The point I'm really making is that not all forms of Google Pay require the same amount of verification, so it's quite conceivable that the author of the Tweet didn't go through rigorous 2FA like the GP comment did.
Whether it's considered one or multiple systems is a pedantic opinion that will depend on the person and doesn't really change the core point I'm making.
This. The issuing bank/institution needs to verify additions to any 3rd party processor like ApplePay, GPay etc
The tweet is a little bit weird too because he assumes its because he used a card somewhere and makes it seem like his card was added to Google pay which can't automatically happen..
Yep, I even need to confirm via my bank (online or app) to enable a card with Apple Pay (per-device as well, it's not just added to my Apple ID and then allowed everywhere).
I'm in the EU though, I'm not sure what it's like in the US.
Google has set up a payment profile without my consent after they've asked to verify my account with a credit card. These [1] are some previous comments with the details:
> A month ago I was asked in a surprise email to verify my age for YouTube with a credit card, which I did to avoid landing in support hell later on, because I publish browser extensions with the Google account.
> I rarely log in, and I wasn't using the Google account at the time the email was sent, nor do I ever use the attached YouTube account. The card was saved in Google Payments without my consent.
> I live in the EU. Their support page mentions that they will ask for age verification when you attempt to watch a restricted video, but I was not using the YouTube account.
> Meeting legal requirements is very different from saving your card in Google Payments, which then you can readily use to buy products in any Google service.
They are hopelessly deceptive, and will not shy away from breaking the law every step of the way just to prop up other Google services.
On a unrelated note, I can't believe someone using Chrome is surprised by something like this. If I were using Chrome and signed into my google account from there, I'd assume all bets were off.
Does this remind anyone of Google+? They had tremendous fake "engagement" forcing people to sign in to Google+ to use youtube, docs, etc. Google is going back to their old playbook. Hope someone is getting a very nice promotion from this.
All the payment systems we have suck. Especially for aging parents, it's seriously like paper checks are way safer and easier, for them. How appalling is that?
I like the idea of Zelle, owned by the banks, no fees, no spam, instant - but ripe with fraud, so I don't feel fully comfortable having aging family members enable it. You cannot increase or decrease your send limit either. Complete shit. It's all automated, of course it should be possible to set a limit.
Google Pay keeps changing. I hate it because it's inconsistent and thus not trustworthy that I'll have anything like the same functionality today, tomorrow.
Paypal and Venmo are really the same company, and I long ago lost respect for Paypal. Venmo is worse because it adds social media on top of Paypal. So those are out.
Apple might have the best pay app now except it's iOS only and thus I think it's shit, because I value interoperability.
I disable all these sorts of "save my information" features in any browser I use, but there's really nothing stopping the browser from collecting that anyway. I just trust that the config settings do what they say they do.
Facebook's initial growth hack was getting contacts in individual universities to send email rosters to them so they could send hand-crafted invites to be in the network.
2 Billion DAUs is an insanely larger number of users and I hardly know anyone who is using Facebook much anymore. Surely that's anecdotal and there are parts of the world where FB is the gateway to the Internet.
Just checked. I too have a Google Pay account. (with zero activity). I never signed up for it. I never used it. I'm simply a google customer (email, youtube). You may argue that this is a unified payment service but none of these payments show up in google pay. So youtube does not use google pay to pay for it. It means that google pay just got the data from my account and get setup automatically. Google sucks. So if I had an Android phone would it be active now without my knowledge?
> the old "Don't be evil" Google wouldn't have done this
Just so we're on the same page, I have to assume that'd be the Google that predates Buzz auto-populating your contacts from Gmail, which resulted in people being "Buzz friends" with abusive ex's and other folk that people will do business email with but don't want social conversations with.
On a related note, I signed up for an Amazon Store Card and without my permission, Amazon assigned it as the default payment method for every (~15) addresses on my account. I used the card by accident before I realized it.
I wonder how much they’ve made in finance charges from customers who were tricked into using this card this way.
I have added my card via the play store, but now my chrome tries to auto-populate the credit card number. I'm pretty unhappy with it, since I don't want that information in google chrome.
(Sounds like the same thing, they share the data between all of the services, which doesn't feel great when the data they're freely sharing is credit card info.)
Actually Google Pay is broken in the other direction: it does not sync between devices, while Chrome's credit card autofill does sync. So I have my main credit card in Chrome on all signed-in browsers but if I try to use the Google Pay button on a merchant's site it will only offer cards that I've manually entered in Google Pay on that device before. It's shipping the org chart in the worst way.
Chrome would offer to store passwords, and if you misread, it would offer to store passwords in your Google account so you can use it on any Chrome session as long as you log in.
I didn't appreciate finding out that Google had my passwords...
I really don't get the surprise. Data saved in chrome is saved into your Google account, whether they label this data under pay doesn't seem to be of a surprise to me at all.
When I see things like this from a company like google it tells me the company knows its dominance is coming to an end and its leadership is afraid and panicking.
If you’ve never used Google pay and go to pay.Google.com it asks you to sign up? I tried just now and I already have a profile with no activity. Looks like the profile can be closed if you like though.
psa? unfortunately it looks like Google pay service is tied to Google domains. they state your Google domains service will be canceled if you close Google pay. don't accidently lose your domains!
Where's the line on this kind of thing? If I type my CC info into a text file using VS Code should I expect Microsoft to add the CC info to my Microsoft account? What about just typing my CC info into any field when using Windows?
Edit:
> How is this evil? There is literally zero negative outcomes from this.
I like to think of every online account as a liability, because any one of them can be compromised and cause me a bunch of headaches. The "level" of headache depends on how much information each service has about me. What gives Google the right to expose me to more risk in this way?
This one is different, you logged into Chrome with your Google account and stored the data of your credit card to the same google account.
If you type your cc info into vscode with your msft account logged in and a sync option enabled then you also shouldn't be surprised if you found it into your msft account.
Because in no way should payment product y be able to see, store, access, or otherwise use google product x's sensitive stored information without explicit user consent
In storing card data in product x, the assumption of the user would be that that product is storing that card data for future autofill purposes in product x
Discovering that this data has somehow been turned into an entire financial account on product y without consent should enrage any reasonable user of product x
It seems like what happened is Chrome used a special backend for storing credit card info associated with your Google account, and this Google Payment product now literally just became the interface that let's you manage your credit card information that was already associated with your entire Google account across all Google products.
I think if there was "leakage" it happened some point earlier than this: the user thought they were storing an credit autocomplete in Chrome but actually they were storing credit card info associated generically with their Google account, and eg was already linked to Play Store for purchases. The fact that the spot where you go to manage the "Google account associated credit card info" is accounts.google.com or payments.google.com seems pretty irrelevant here.
It isn't for you, me, or Google to determine whether or not there are potential negative outcomes coming from the unexpected use of very sensitive data such as CC #s, or what amount of risk is acceptable. That sort of assessment can only realistically be done by whoever's data it is.
That Google appears to be so cavalier about this is a serious, but unsurprising, thing. I don't think I'd call it "evil", though, so much as "abusive".
If you give a company your information in one department, another department will invariably use it. See also: Facebook using the phone number you put in for 2FA for targeted marketing [1].
[1] https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...
> The old "don't be evil" Google wouldn't have done this.
What's the "old" Google? You mean like Google Latitude, circa 2009? [2] [3]
[2] https://www.computerworld.com/article/2530951/privacy-group-...
[3] https://www.nytimes.com/2011/03/22/technology/22privacy.html