Regulators, Mount Up! Analysis of Privacy Policies for Mobile Money Services

Emerging digital financial services use mobile phones to provide access to populations traditionally excluded from the global economy. These "mobile money" services have proven extremely successful in their first ten years of deployment, and provide a powerful means of raising people out of poverty. Such services have access to a wealth of customer information, potentially including entire purchase histories, geolocation, and social network information. In this paper, we perform the first study of privacy policies in mobile money services, evaluating policies from 54 services and comparing them to 50 policies from traditional financial institutions. Because mobile money services are developed under a wide range of regulatory environments, we compare policies to the industry standard (the GSMA's Mobile Privacy Principles) and to a traditional national standard (the FDIC's Privacy Rule Handbook). Our analysis shows that almost half (44%) of these mobile money services do not have any privacy policy whatsoever. Of the services that do have privacy policies, roughly one-third (33%) fail to provide them in either of the two most common languages of their market. Furthermore, 50% of these policies do not ever identify to the user what data is actually being collected and stored. Finally, we find that where policies do exist, they are often incomplete and difficult to read by their target customers. These findings show that more work is needed to protect consumer privacy within these mobile money services.

[1]  Patrick Traynor,et al.  Mo(bile) Money, Mo(bile) Problems , 2017, ACM Trans. Priv. Secur..

[2]  J. Eloy,et al.  Readability assessment of online patient education materials from academic otolaryngology-head and neck surgery departments. , 2013, American journal of otolaryngology.

[3]  Jean Anderson Eloy,et al.  Readability Assessment of Patient Education Materials from the American Academy of Otolaryngology—Head and Neck Surgery Foundation , 2012, Otolaryngology--head and neck surgery : official journal of American Academy of Otolaryngology-Head and Neck Surgery.

[4]  Idowu Biao,et al.  Higher education as an emerging strategy for actualising the vision 2020 of the Economic Community of West African States (ECOWAS) , 2011 .

[5]  L. Cranor,et al.  Are They Worth Reading? An In-Depth Analysis of Online Trackers’ Privacy Policies , 2015 .

[6]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[7]  Sanjeev Sabharwal,et al.  Assessing Readability of Patient Education Materials: Current Role in Orthopaedics , 2010, Clinical orthopaedics and related research.

[8]  Richard J. Anderson,et al.  Let's Talk Money: Evaluating the Security Challenges of Mobile Money in the Developing World , 2016, ACM DEV.

[9]  Dw Arner Financial Services Modernisation in the US and the Gramm-Leach-Bliley Act of 1999 , 2001 .

[10]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[11]  Jacob Cohen,et al.  A power primer. , 1992, Psychological bulletin.

[12]  David R. Hansberry,et al.  Readability Assessment of Patient Education Materials on Major Otolaryngology Association Websites , 2012, Otolaryngology--head and neck surgery : official journal of American Academy of Otolaryngology-Head and Neck Surgery.

[13]  L. Cranor,et al.  {Privacy, privacidad, Приватност} policies in social media: providing translated privacy notice , 2012, PSOSM '12.

[14]  Clare-Marie Karat,et al.  Optimizing a policy authoring framework for security and privacy policies , 2010, SOUPS.

[15]  Clare-Marie Karat,et al.  Usability Challenges in Security and Privacy Policy-Authoring Interfaces , 2007, INTERACT.

[16]  Steven M. Bellovin,et al.  Privee: An Architecture for Automatically Analyzing Web Privacy Policies , 2014, USENIX Security Symposium.

[17]  NA Tagoe Who Regulates the Mobile Money Operations by Telco âÂÂs? The Needfor an Effective and Robust Legislative and Regulatory Framework inGhana , 2016 .

[18]  William Jack,et al.  The long-run poverty and gender impacts of mobile money , 2016, Science.

[19]  Elisabeth Beaunoyer,et al.  Understanding online health information: Evaluation, tools, and strategies. , 2017, Patient education and counseling.

[20]  Blase Ur,et al.  A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices , 2016 .

[21]  Lorrie Faith Cranor,et al.  How Short Is Too Short? Implications of Length and Framing on the Effectiveness of Privacy Notices , 2016, SOUPS.

[22]  Aleecia M. McDonald,et al.  The Cost of Reading Privacy Policies , 2009 .

[23]  Leora F. Klapper,et al.  The Global Findex Database 2014: Measuring Financial Inclusion Around the World , 2015 .

[24]  Lorrie Faith Cranor,et al.  A Design Space for Effective Privacy Notices , 2015, SOUPS.

[25]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[26]  L. Cranor,et al.  An Evaluation of the Effect of US Financial Privacy Legislation Through the Analysis of Privacy Policies , 2006 .

[27]  Marg Mumbai Know Your Customer (KYC) norms/Anti-Money Laundering (AML) standards / Combating of Financing of Terrorism (CFT)/Obligation of banks under Prevention of Money Laundering Act (PMLA), 2002. , 2010 .

[28]  Michael Paik Stragglers of the herd get eaten: security concerns for GSM mobile banking applications , 2010, HotMobile '10.