Modern payment processors are making hard choices every day about how and when they’ll stand up for users. Whether they comply with or reject a government request for user data and whether they shut down an account or leave it up can have enormous ramifications for what types of speech can thrive online. These choices shouldn’t be made in a bubble, shielded from public oversight.
Payment processors like Stripe, Paypal, Bitpay, and Coinbase are the intermediaries that allow you to support your favorite websites, send donations, and make purchases online. They’re often privy to details of your financial life, which can be deeply revealing. Your finances can say a lot about your daily habits, your political orientation, your physical location at different moments in time, your associates, and your health concerns. Given how sensitive this information is, you might assume that law enforcement agents must show probable cause to a judge and receive a search warrant before accessing financial records. But you’d be wrong. Financial data is frequently obtained through a less stringent process, such as a subpoena, a 314 (a) request, or a National Security Letter, none of which require review from a judge before being sent to the financial service provider. Furthermore, the financial industry is already heavily regulated and laws currently mandate that various financial institutions, from banks to money transmitters, must keep extensive customer records and proactively report information about large or suspicious transactions to the government. Over the last two decades, the volume of these reports has grown rapidly, now surpassing millions per year. In effect, thousands of companies have been deputized to bulk collect and report reams of private financial information to the government.
And when it comes to shutting down accounts the government doesn’t like? Sometimes, that’s just an unofficial request, and it can be difficult for the public to know if the government is behind it or not. EFF has tracked multiple instances where payment processors cut off websites that were never charged with a crime, including an online bookseller, a short story archive, an alternative social network, and a music sharing site.
The combination of no judicial review, no public tracking, and deeply sensitive information about consumers creates a perfect storm for an unbalanced system, where the interests of law enforcement, administrative agencies, and prosecutors consistently win out over the interests of individual privacy and expression when it comes to financial transactions.
Transparency reports are one way to help right that balance.
Transparency reports are nothing new. Major companies like Google, Twitter, and Verizon have published them for years to no ill effect. Notably, there’s nothing in a transparency report that would endanger an investigation. Instead, these reports typically provide aggregate numbers on how many government requests a company receives in a given period of time (typically a year), how many requests the company complied with, and how many user accounts were impacted. Sometimes, these reports provide breakdowns by country, so we can know if the United States is sending more requests for user data than, say, France or China.
Over the last few years, more websites are also offering data on censorship requests: when a company receives a government request to shut down an account or remove speech from the web. This would be especially valuable in the context of payment processors.
Tracking transparency reports year over year is vital to the public’s understand of government efforts to surveil and censor. Analysts can use these reports to learn a lot: Are requests for user data increasing in particular sectors? How many accounts are impacted, and are all those accounts bundled into just a few requests? Are payment processors resisting certain government requests, or complying with every one?
Ideally, payment processors would choose to embrace even more transparency. For example, we’d like to see a commitment to publicly report on government requests that don’t come with an official subpoena, such as when Cook County Sheriff Thomas Dart violated the First Amendment by bullying credit card companies to shut down an account. We hope that financial companies would detail their process for handling government requests and include a process for account holders to appeal those decisions. We urge payment processors to report on how many Suspicious Activity Reports they file annually and how many unique customers those reports relate to. It would also be extremely helpful for payment processors to report on requests that may originate outside of the government, and to provide aggregate numbers on how many accounts are frozen and shut down in a year that aren’t about fraud.
But the first, simplest, most modest and reasonable step is a transparency report on the government requests for user data and account shutdowns, which has become standard practice across other industries where companies hold sensitive data.
Payment processors have gotten a lot of attention in recent years because they are often the most public piece of the financial services ecosystem when it comes to censorship. And they’re certainly powerful; as Charlie Kirk wrote in the Hill this month, "If all the payment processors decided to pool their collective power together and turn off their services in a single day it could totally destroy our lifestyle and chaos would ensue. No ordering Uber, purchasing medicine or using Amazon." But they aren’t the only financial institutions that should be looking into transparency reports. More transparency about government surveillance and censorship requests should be embraced throughout the financial services industry, including credit card companies, banks, loan services, and digital currency startups that hold consumer funds.
For years, payment processors have been a favorite avenue for law enforcement to ferret out and even punish individuals it can’t prosecute. Transparency helps shine a light on this slippery underbelly. Payment processors might reasonably convey to law enforcement a concern about public blowback if they receive requests that impact a large number of consumer accounts. Transparency provides fodder for investigative journalists, watchdog organizations, and even our elected officials seeking to better understand whether we’re adequately safeguarding privacy and speech rights.
Transparency reporting within the financial services industry will also help competitors understand how others are navigating this complex issue. If one payment processor rejects 5% of all the government requests it receives, it might inspire another similarly-situated payment processor to take a hard look at whether its review of government requests is adequately stringent.
For a payment processor that doesn’t currently have a system in place for tracking government requests, working today to start building that system will put the company in a position to publish data next year. EFF is committed to helping shift the conversation around transparency and financial services. If you’re at a payment processor or other financial institution and you’re working on developing a transparency reporting system, we’d be happy to discuss it with you. Please drop us an email (Rainey@eff.org).