Shostack + Friends Blog


Citizen Threat Modeling and more data

[no description provided]

Last week, in "Threat Modeling: Citizens Versus Systems," I wrote:

I think that was a right call for the first project, because the secondary data flows are a can of worms, and drawing them would, frankly, look like a can of worms.
Many organizations don’t disclose them beyond saying “we share your data to deliver and improve the service,” those that do go farther disclose little about the specifics of what data is transferred to who.

Paypal Partnerships Today, via Bruce Schneier, we see that Paypal has disclosed the list of over 600 companies they might share your data with. He rightly asks if that's unusual. We don't know. My instinct is that it's not unusual for a financial multi-national.

I'm standing by the questions I asked; the first level of categories in the Paypal list may act as a good third level for our analysis. It will be interesting to see if others use the same categories. If they don't, the analysis process is magnified.

Their categories are:

  1. Payment Processors
  2. Audit
  3. Customer Service outsourcing
  4. Credit reference and fraud agencies
  5. Financial products
  6. Commercial partnerships
  7. Marketing and public relations
  8. Operational services
  9. Group companies
  10. Commercial partners
  11. Legal
  12. Agencies

It's unclear to me how 6 ("Commercial partnerships") differs from 10 ("Commercial partners"). I say this because I'm curious, not to point and laugh. We should cut Paypal some slack and appreciate that this is a new process to handle a new legal requirement. I'm also curious if 12 ("agencies") means "law enforcement agencies" or something else.

Visualization from How PayPal Shares Your Data.