When will we get the OPT-OUT to NOT be identifiable as revolut customer to other customers?


#1

Hello.

As the other thread (Can’t ‘Send money’ WITHOUT ‘Revolut needs to access your contacts’) concerning revolut’s approach to users’ privacy concerns was closed after one year - ironically saying there is the ‘solution’ of not using direct-payments when we don’t want to grant access to our address book - the other privacy issue discussed in the thread needs an own thread:

Up until now every revolut customer is identifiable by other revolut customers if they share their address book.
Up until now there is no OPT-OUT for privacy-concerned customers who DON’T WANT to be identifiable to others only because they have their number or eMail in their address book.
Every other revolut customer who by chance has your eMail or phone number will see that you have bank account with revolut.

So far nobody would tell me how on earth this can be in accordance with the General Data Protection Regulation (GDPR) which became effective in the end of May 2018.

Here is how the competition handles it with an OPT-IN:
“In the context of using the services of the N26 App, I agree to be identifiable for other users as N26 customer.”

(Even if you don’t OPT-IN other users can send you direct payments by entering your phone number or email address… - I know, it’s ‘magic’ if I read my above mentioned one-year-old bug report!)

On July 16th I chatted (once more) about this topic and got the following:

“We are aware of this issue and currently working on it - in the nearest future users will be given an option to opt-out.”
+
“I don’t have any estimated timeframe for now. We will provide a response on community page shortly.”

Well - over 2 weeks later is not really ‘shortly’.

See please give us an update!
(And I would really be interested how your Data Protection Officer (DPO) is commenting on the issue!)

Cheers, raimerik


#2

+1 Was very puzzled (and not amused at all) when I found out this was possible.


#3

So this means that Revolut are operating illegally in the EU?


#4

+1000

And the answers like “you can always cancel our service to opt-out” are fully unacceptable


#5

Update:

July 16th revolut said:

  1. ‘we are aware of this issue and currently working on it - in the nearest future users will be given an option to opt-out.’
  2. concerning the time-frame: ‘We will provide a response on community page shortly.’

November 6th:

‘just double checked with our relevant team. We have no new information about that option.’

It’s really concerning that loyal customers must repeat and repeat over and over that reliability and data sensitivity are cornerstones of banking - even in FinTech times…

Next step: DPO@revolut.com

:\ raimerik (disappointed and frustrated by this degree of neglect/obliviousness)


#6

Worrying indeed, wasn´t GDPR the legislation that caused all that mail back in May?

All the companies adapted and threats about heavy fines was communicated, that does not bode well.

Hopefully we will have opt-out available shortly!


#7

If it were in violation of GDPR then wouldn’t they have to face class action suits already? Maybe, that means there is something that gets them on the right side of the law even with this feature on.

  • But I would surely like to have the ability to choose my visibility

#8

I am also quite certain that we agreed to let them to this when we signed up through the terms of service.


#9

Yes but no update may 25 where we got to opt-out?

Fact of the matter i had *NO’ idea revolut even did this when i signed up - it wasn’t exactly self explanatory that it would mess the contacts in android up by doing duplicates and tripples and i’m pretty certain it didn´t say anything special about sharing contact info with other revolut users in ones contacts.

I discovered it by accident and thought to myself “hello security breach big time here”…

The result was that i simply keep my revolut accounts at a minimum and use other regular cards with old school banks that doesn’t release info to others more instead. One day we might have the ability to turn it of - then :r: can be a daily driver.


#10

Swede you are perfectly allowed to opt out by closing your account. The usage of your phone contacts is stated in the terms under privacy.

Look for 4. USES MADE OF THE INFORMATION. Also every smartphone these days will ask you if you want to allow the app access to contacts.


#11

Absolutely,

I simply skip using :r: as much as i first intended to and try to get the security issue through to team :r:. After all there is a banking license applied for so sooner or later :r: will want to act like any other bank concerning this issue is my hope and bet!


#12

I would not call it a security issue. You can simply deny access to contacts also it is clearly stated in the terms how the data is used.

If it was a security issue. It would mean that Revolut inadvertently were exposing personal data or data without the consent of the user. As you have agreed to the terms, you agreed to the way this data is used.


#13

Hi Henrik!

I don’t find such kind of snappy love-it-or-leave-it remarks as ‘opt-out by not using the service’ helpful or particularly smart.
And not everything dug in endless ToS is legal just because it’s in there…

More to the point: if you are paying attention to customers’ privacy concerns and promise offering an opt-out solution ‘soon’ it should not be >4months… Or never…

But thank you for pointing out the ToS, as there is more flabbergasting stuff in there:

‘To make you aware if any of your contacts who are Revolut Users have utilised any of Revolut’s products or features.’

So even if I don’t allow revolut to grab my contacts’ personal data, other random revolut customers who happen my data in their address book (customers, clients, business contacts, students) can not only see that I have a bank account with revolut, but can be made aware that I have ‘utilized any of revolut’s products or services…’?!

Wow. Just wow.

Will report back with what the DPO had to say…

Cheers, raimerik

update: removed on-the-run typos etc.


#14

You can do lots of things, im pretty sure im NOT the only one who didn’t realise what :r: was up to with ones contacts.

It is a serious security issue as @raimerik already has explained so well.

The solution is simple, don’t use :r: as daily driver card, i can live with that if that is what it all boils down to in the end. What i won’t do is stop voicing my opinion “because it was in the terms when you signed up” - pardon my french but that is just bulls… lame excuse.


#15

I agree it would be nice to have an opt-out. But i would not call it a security risk. Is the current solution subpar? Yes. Does it expose any personal data of you? No.

My comment about it being in the terms. Is because i am stunned by how many who signup for financial services such as Revolut without reading the terms they accept when they initial signup. Being concerned about your privacy and security, it must be a prerequisite to read the terms when signing up. If not, how do you know how your data is used?

Are you concerned that others can see you are a Revolut user, then you can get a prepaid number and use that with Revolut. That would give you total anonymity and then tell the App to not have access to your contacts.


#16

Even when you read the terms its not totally clear that the information will be shared with other users.

We both know very few READ terms in any case. There should be better information about it i think, realising after having already given :r: access to ones contacts won’t help much, done is done.

There should have been an update around this issue around may 25 this year i suppose?


#17

Hej, Swede! :wink:
Where is the source for this May25th reference you keep talking about? I am curious about that!
Cheers, raimerik


#18

GDPR was enforced on that date, remember all the mail that bombarded us the weeks up until may 25? :sunglasses:


#19

GDPR does not prevent this, or require an opt out. It just requires that you know what data, and how the data is saved and processed.


#20

I think you’re misunderstanding GDPR. Since Revolut is only filling out information people already have, it isn’t exposing any personal information that is identifiable to a person, or at least this is my understanding of it, thus it doesn’t require any explicit permission aside from what is stated in the ToS.

Lets not pretend that this is a massive issue regardless, if you’re doing business you should put some money aside for a business mobile or a second SIM :wink: