The online verification process for HDFC Bank’s credit card application requires users to give the bank permission to view the user’s email messages & settings and permission to view all contacts, in addition to basic info like age range and language and other email addresses. (Hattip: Twitter user N). This information can be read by employees, and is likely not stored in India.
— N (@coderzombie) January 9, 2017
HDFC seems to channel this information though Verifi.Me’s verification services. Verifi.Me seems to provide verification services for ‘many partners’, although it does not specify any of them. It also offers an app for consumers that can be used to save digital copies of documents for verification, as well as to verify through online means such as email verification which the company claims “allows people to to prove their identities and fast-track their applications.” The app isn’t accessible in India.
It also mentions that it only shares information which is required to be known for verification, however, this information is accessible to employees “who are required to know such information in order provide our Services to you.” Essentially, those verifying though this method for HDFC Bank, could end up having their emails, bank statements, photos and other sensitive information read by employees.
It’s not clear if what the bank is doing is legal and may be operating in the grey area of regulation given the lax privacy and security laws in India.
.@HDFC_Bank has sent me a message through verifi.me asking me to verify my digital identity. Asking for access to FB, Gmail, Linkedin. Safe?
— Mohammad Omar (@omar1618) December 30, 2016
— Chinmayi (@chinmayiarun) September 1, 2016
— aviraj gunjal (@avirajgunjal) July 30, 2016
MediaNama has written and called HDFC Bank about the privacy issues while collecting customer data and we will update once we hear from them.
The issue has been brought to HDFC Bank notice by various users on Twitter over the last few months, and the Bank has at times responded by asking users to send in an email. However, this problem is unlikely to be resolved by customer support, rather the bank will have to rethink how it collects data for verification in the first place. Additionally, it is high time the Government defined a clear privacy law especially with context to online identities and information, something it has been putting off for over 5 years now.
“We collect Personal Information at registration, signing in to Verifi.Me through a Third party registration tool and, in general when using any of the Services (including but not limited to, the following: your name, email address, phone number, gender, government ID, date of birth, occupation, employment and economic status (income, employer) tax information (tax returns and other information about your tax situation), contact information (such as telephone numbers, addresses, email addresses, etc.), educational background, family information, bank or financial information (bank accounts, loans, debt, monthly expenses), pictures, why you decided to use Verifi.Me, information from your social media accounts, and a means to authenticate your account (e.g. a password).”
“We do not have control over the use of your personal information once it is shared by our Partners or Third Party Providers, and we are not responsible for their privacy practices. Your rights with respect to their treatment of your information will be governed by their own policies.”
“However you will not be able to delete your account if you have an outstanding obligation (e.g. loan) with Verifi.Me or any of our Partners.”
“We restrict access to your Personal information only to those employees who are required to know such information in order provide our Services to you. We train our employees on all our security procedures, and we conduct audits to check compliance.”
“If you are located in a non-US jurisdiction, you may be sending your Personal Information to the United States or another jurisdiction that does not have laws that provide an equivalent level of data protection to the laws in your home country.”