Cashback: si parla tanto di app IO e di privacy, ma qualcuno ha letto la policy ufficiale sul trattamento dei dati degli utenti? Noi sì.
L’avvio difficilissimo del Piano Cashback del Governo si riassume in due hashtag estremamente popolari sui social: #IOapp e #IOappPrivacy. Da una parte gli utenti continuano a lamentare gravi problemi di funzionamento dell’app IO, che vi abbiamo documentato ieri e che continuano anche oggi, dall’altro c’è chi fa ironia sul fatto che in appena due giorni IO ha quasi raggiunto il numero di download di Immuni, senza che nessuno si preoccupasse della questione privacy.
The issue, however, is there and goes far beyond a simple hashtag of mockery on Twitter because through IO and our smartphone, but also through payment cards, if enabled to Cashback (here the procedure), we are transferring to the Italian Government a huge amount of data, sensitive to say the least. Almost no one, however, is doing this after reading the privacy policy of the IO app that exists, is indicated both within the app and on the official website, and should be read and understood (you can find it here). This is something that should be done before installing any app, to be honest, but even more if the app was created to track our purchases valid for cashback. That’s why it’s important to read the IO privacy policy and what it says.
Io app and privacy: what data are sent
Basically, we could say that all the data that the IO app collects for cashback purposes are data that are already available to someone else: payment card details, cardholder identification data, purchase amounts, where we bought and when are in fact data that are collected by those who issued the card.
By using this data, of course, it is possible to profile the card user extremely accurately. In the case of IO, however, the matter is even more delicate because if we register and enable more cards to cashback, all the data of the transactions through these cards will end up in a single large container. The fact that purchasing by electronic payment method is incentivized by cashback, then, stimulates the user to make more transactions with cards and apps and, therefore, to grant more data than they would normally grant.
To understand what we’re talking about: if we use card X we give our data to bank or finance company X; if we use card Y we give our data to bank or finance company Y; X and Y normally don’t cooperate and don’t share user data, but if we associate the two cards to the same app then the app in question has both data from transactions made with X and those made with Y. To this data we add the IBAN on which to pay the cashback, which can also be different from the IBAN of the payment card. The dream of any company working on big data.
Companies like Google or Apple, which with Google Pay and Apple Pay have all this data available if we associate all our cards to their respective apps. So the amount of data we transfer to IO is comparable to the amount of data we transfer to Google or Apple if we use their payment apps. But it’s more if, to get more cashback, we make more purchases with cards.
Exactly what the government tells us to do. Without forgetting, then, that to use IO we must also communicate our SPID or our CIE, which Apple and Google do not have. Remember, in this regard, that it is possible to receive cashback without SPID and CIE.
App IO: how privacy is managed
The privacy of IO users is regulated by the now well-known European General Data Protection Regulation (RGPD, better known as GDPR). The Data Controller is the Ministry of Economy and Finance (MEF).
The MEF manages IO through two public subsidiaries, PagoPA SpA and Consap Spa, which are responsible for the treatment of personal data. In estrema sintesi a PagoPA spetta di organizzare e gestire tutto il funzionamento di IO e del cashback, mentre a Consap spetta il compito di gestire futuri eventuali richiami. Per gestire tali richiami Consap metterà in piedi una apposita piattafoma Web.
La privacy policy di IO specifica anche che i dati verranno gestiti in modo automatizzato e che è espressamente vietato qualsiasi trattamento a scopo di profitto o profilazione. I nostri dati, quindi, non verranno usati per inviarci pubblicità targettizzate, né verranno venduti a qualcuno, né usati dal Ministero per altri scopi al di fuori dell’erogazione del cashback.
Chi oggi aderisce al Piano Cashback può in seguito uscirne chiedendo la cancellazione dei propri dati. PagoPA and Consap are authorized to nominate eventual sub-responsibles, in case some operations on the data are subcontracted.
App IO: PagoPA and Consap’s Extra-EU Suppliers
A specific paragraph of IO’s privacy policy finally specifies that some data could be sent to “third party suppliers that have their headquarters in Extra-EU countries (USA)“. American companies, then. But who are they?
We asked, through the email addresses to which any citizen could do it, both to PagoPA and Consap. The first one didn’t answer, the second one did, specifying that the American supplier is Oracle, on whose servers the data of the claims are hosted (e-mail address and password, fiscal code, name and surname, data of the attached identity documents, data related to the claim itself). The servers in question are located in Europe, not the U.S., and communication takes place via an encrypted connection that prevents the data from being read by Oracle.
PagoPA, on the other hand, did not respond to the request for clarification sent, while the email address of IO’s press office, which anyone can find on the app’s website, is non-existent.