INLS 187 - Information Security
Policy Analysis
February 09, 2003

As an avid eBay user I thought it would be interesting and insightful to examine the information policies of PayPal. Many sellers on eBay will only accept PayPal payments and I have used it on occasion but for some reason I have never truly felt comfortable using it. I know that you are using a credit card which offers a degree of protection against fraud but there is still something that leaves me unsure about the service.

PayPal claims to "let any business or consumer with an e-mail address to securely, conveniently, and cost-effectively send and receive payments online", but just how secure is this service and what guarantees do they offer their clients. Also, what does the user agree to when signing up for this service? These are the questions that I am going to be asking as I evaluate the PayPal service.

Here are the sections that I will looking at :

Some of these areas are multi-tiered and I will examine them as they are pertinent.

Policy Summary

Before I even examine the privacy policy I think it important to go over the About Us section, which details the specifics about the company. PayPal is middleman service that handles financial transactions. It is built on top of the preexisting financial infrastructures of banks and credit cards. Services are offered in 38 countries and there are over 20 million registered users. The company claims to average 28,000 new accounts a day. It also states that the owners of PayPal are eBay and that its home offices are in Mountain View, CA.

With all of that being said and a foundation established I am going to turn to the Privacy Policy. To understand the policy I am going to deconstruct it systematically, i.e. from top to bottom and pick out interesting parts along the way.

The first thing to note is that I am going to be evaluating the new policy which will take effect on March 4, 2003. If you want to view the older version please consult it here.

The first sentence in the initial paragraph of the Overview section says that PayPal will require personal information about the user, their credit card, and/or bank account. This seems fair but I am always hesitant to give out my bank account information to anyone. For this very reason I have never sold anything on eBay, which also requires a bank account number.

PayPal is quite adamant about not selling or releasing your information, but they leave themselves a loophole in the following statement,"We will not sell or rent your personally identifiable information or a list of our customers to third parties. However, as described in more detail in Part C below, there are limited circumstances in which some of your information will be shared with third parties, under strict restrictions, so it is important for you to review this Privacy Policy."(1)

So being a good researcher I went to Part C, entitled " Our Use and Disclosure of Information", to see what it says about these "limited circumstances". Well here we have it, "We use the information we collect about you in order 1) to provide our services and process your transactions, 2) to provide customer service, 3) to determine your eligibility to receive offers for special features or products, such as the PayPal MasterCard® debit card, and 4) to improve our products and services. At your option (as indicated in your PayPal Profile settings), we use the information you provide to access specific third party services on your behalf and perform the actions that you request us to perform, such as invoicing winning bidders on behalf of auction sellers." (2) This is a fairly typical user agreement loophole that most Internet companies use to help generate money. The user can deselect this option when they are signing up for the service which will prevent PayPal from sending you unrequested offers, newsletters, and user tips. Users can also perform this function later on under their PayPal preferences which will also eliminate unwanted e-mail

PayPal participates in the Council of Better Business Bureau's BBBOnline Privacy Program which regulates how the company deals with information. The program seems to be an elite organization that many major companies, such as Sony and Visa, participate in which lends credibility to PayPal and its Privacy Policy.

To further advance the credibility of PayPal the company allows an independent organization, TRUSTe, to review its privacy policies and information practices. By agreeing to use TRUSTe PayPal has to notify you of :

1. What personally identifiable information of yours is collected by PayPal.
2. The organization collecting the information.
3. How the information is used.
4. With whom the information may be shared.
5. What choices are available to you regarding collection, use and distribution of the information.
6. The kind of security procedures that are in place to protect the loss, misuse or alteration of information under PayPal's control.
7. How you can correct any inaccuracies in the information.

This use of TRUSTe definitely gives creed to PayPal's commitment to privacy.

Information that must be supplied to obtain a PayPal account is the user's name, address, phone number, and e-mail address. To make payments with PayPal you must supply either a credit card, bank/debit card, or bank account. All of this seems fair and even I am a little more at ease about the bank information because it is only necessary when transactions exceed $1,000.

The Privacy Policy goes on to further detail how PayPal verifies the user during a transaction, their use of cookies, and other various details but the section that I am interested in is their Information Security. This section states that all credit card and bank information is kept encrypted on computers that are not connected to the Internet. The only people who see this information are people accessed to do so. PayPal maintains "physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information".

What is interesting about the Information Security section is that PayPal places a measure of responsibility on the user. A user's password must be kept personal at all times and PayPal representatives will never request it from the user. I like this part of the Policy because it says that PayPal is doing all that it can to protect your privacy but if you willing give up your password you have compromised your own information. This is a nice touch in the policy.

That in essence is the Privacy Policy. There is additional information of how to contact the company and changing your personal information but that is a brief synopsis.

There is also another User Agreement which goes over a more legal aspect of the agreement that I am going to gloss over. This includes :

Privacy Policy
Closing Accounts and Limiting Account Access
Electronic Fund Transfer Rights and Error Resolution Policy
Seller Protection Policy
Buyer Complaint Policy
Money Back Guarantee Policy
Payments (Sending, Receiving, and Withdrawals) Policy
Premier and Business Account Policy
Fees Policy
PayPal Shops Policy
Debit Card Policy
BillPay Policy

Criteria for Evaluation

The following four areas my criteria for evaluation.

  1. What level of security is PayPal using to encrypt its data and where is extremely sensitive information, like credit card and bank account numbers, stored?
  2. Are there outside companies and organizations evaluating PayPal's information policies?
  3. How is the clarity of language in the policy and can the average person, being a non-lawyer type, understand it?
  4. Does PayPal offer explanations and tips for keeping yourself safe when using its product?

Analysis

1) What level of security is PayPal using to encrypt its data and where is extremely sensitive information, like credit card and bank account numbers, stored?

To answer this question is a two part effort. The first is to detail what level of encryption PayPal is using and the second is to describe how and where this information is stored.

PayPal offers a detailed description of how they encrypt information in their Data Security and Encryption section. The company uses SSL with a 128 bit encryption, which they claim to be the highest level commercially available, to transmit sensitive information. True to form when I click on the Sign Up link Mozilla indicates that I am about to enter an encrypted site that is verified by the Verisign Trust Network.

The storage of sensitive material is also detailed on the Data Security and Encryption section as well as the Privacy Policy. PayPal claims to store this information of a server that resides in the United States that is guarded by both physical and electrical deterrents. The storage server also uses a firewall and is not connected directly to the Internet. The important word here is "direct". Computers who do have Internet abilities are connected to this server and the information is therefore theoretically at risk, but PayPal does a good job of assuaging most people's fears by saying that the storage server is not "directly" connected to the Internet.

2) Are there outside companies and organizations evaluating PayPal's information policies?

The simple answer to this is yes there are two groups that review PayPal's policies. TRUSTe and Council of Better Business Bureau both review the information practices of PayPal and lend their names to the credibility of the service. TRUSTe is an "...independent, non-profit organization whose mission is to build users' trust and confidence in the Internet by promoting the use of fair information practices"(3). The Council of Better Business Bureau also runs a similar honesty policy that it holds registered businesses to. Both of these organizations are rather elite watchdog groups that any online business would clammer to have associated with their site because of their credibility.

3) How is the clarity of language in the policy and can the average person, being a non-lawyer type, understand it?

For my purposes the manner in which the Privacy Policy and User Policy are written are quite clear, but then again I am a graduate student. While I have no guinea pig to turn these two Policies on I can imagine that most people do not read them. Both of them are rather long in nature and are slightly repetitive but the policies detail every conceivable aspect of the company if one takes the time to read them. There is really no legalize or complex computer talk to confuse people and I feel that Privacy Policy and User Policy are both very honest.

4) Does PayPal offer explanations and tips for keeping yourself safe when using its product?

PayPal offers a plethora of hints and tips for both security and shopping in its Security Center.

These include:

  • Shopping Security Tips
  • Security Tips
  • FTC Security Tips
  • Data Security and Encryption
  • Privacy Policy
  • Account Insurance
  • Verification
  • Fraud Prevention Tips for Sellers
  • Fraud Prevention Tips for Buyers
  • Buyer Complaint Process
  • Buyer Complaint Form
  • Money Back Guarantee
  • Report a Problem

All of these are robust explanations and tips for the common user.

Further help can be found in the Help Center which serves a type of FAQ.

Recommendations

There are not many things that could recommend to PayPal that they or their lawyers have not already thought of. The user's needs are met and explained in detail to them, if they bother to read them. The security of the service is also spelled out which not many companies do but as this is a type of courier service I can understand the need. There is a FAQ section and a security tips area. Complaint forms are readily available and easy to submit.

As far as I know PayPal has never been cracked and there is no public record of it. Until a crack happens one has to believe that the company is doing its best at security.

All in all I would feel comfortable using PayPal and give it a big A+ on all fronts.

Footnotes

1 PayPal Privacy Policy, accessed Sunday, February 9, 2003, 09:52 am.

2 sic, accessed Sunday, February 9, 2003, 10:00 am.

3 sic, accessed Sunday, February 9, 2003, 11:36 am.

Matthew Bachtell

Return to the main index

PayPal Logo

PayPal logo taken from their web page.