TD Visa customers' browsing activities open to 'surveillance' by bank

CBC News investigates  ​

Colin Laughlan is one of thousands of Canadians who had his Visa cards switched from CIBC to TD in 2014 after the Aeroplan rewards program changed banks. 

"When I saw this — I really had to read it two or three times to make myself believe I was reading what I was reading," he said.

He points to two lines in the 66-page Visa cardholder agreement that allows TD to collect details about anything — and everything — customers do online. 

Under the privacy section of the cardholder agreement:

"COLLECTING AND USING YOUR INFORMATION — At the time you request to begin a relationship with us and during the course of our relationship, we may collect information including: 

• Details about your browsing activity on your browser or mobile device.
• Your preferences and activities.

Laughlan, from Vancouver, has a background in privacy issues as a former journalist and communications specialist. He said his radar was up when his new TD Visa card and cardholder agreement arrived in the mail.

"I couldn't see any reason they had to do that sort of surveillance on Canadians and they weren't being particularly forthright about it. This was slipped into the fine print of the policy and I'm well aware that the vast majority of people don't read these things," he said. 

Laughlan said it took almost a year before his complaint finally reached TD's privacy office.  

The bank eventually apologized, according to Laughlan, and said it was in the process of removing the "browsing activity" line from the agreement. In the meantime, it sent him what it called a "personalized policy" with the browsing activity line crossed out by hand and initialled by a senior officer in the bank's privacy office. 

Questionable clause remains

Six months later, Laughlan received another user agreement for a different TD Visa and realized nothing had changed. He complained again and said he was told the agreement was sent by mistake and again assured the problem would be fixed.

Then it happened a third time. That's when he contacted Go Public.

"This is now going on to 18 months. They hadn't changed it as they had promised ... I'm really upset … I thought this is something Canadians should know about," he said. 

Go Public put the issue to TD Bank Group, which responded with an email saying the intention was to allow the bank to collect information only when customers use TD websites and TD mobile apps.

"TD has never, at any time, collected general information regarding details about customers' browsing activity, their browser or mobile device," the statement said.

The bank did remove the browsing clause from its online cardholder agreement, but it remains  part of the printed version mailed out to customers. The bank tells Go Public that will change when the paper agreements need to be reprinted.

It will keep, however, the line that allows it to monitor customers' "preferences and activities." The bank said it uses that information for banking purposes, including managing products and services and assessing risk. 

It has a 'creepy factor,' says tech expert 

Sharon Polsky, the president of the Privacy and Access Council of Canada, believes that kind of general wording in user agreements opens Canadians up to sharing far more than they intended, and not just with banks. 

"The waters are very murky. People do not realize very often that their information is being disclosed," Polsky said.

Under Canadian law, consent is needed in order to allow anyone to access your online activity. But Polsky said the problem is most people don't realize that by signing up for a credit card or downloading an app they are granting that permission. 

I've heard it said that Google and Facebook know more about you and me than we do.- Sharon Polsky, privacy expert

"It has a creepy factor.... They can create a very, very detailed profile of each of us … what we do, where we go, what we think," she said.

What businesses do with the information they collect is concerning to Polsky, because it is unclear how it will be used.

"A lot of people don't realize just how invasive organizations are already with our personal information," said Polsky. "So, when you see a clause that says the organization will gather whatever it wishes about you and use it however it wishes — that's when you start wondering why? For whose benefit? Certainly not the consumer," she said.

Are banks going too far?

Polsky said all banks need to collect some information about their customers' online habits in order to meet legal and governmental obligations, but she believes often the amount of information being collected goes too far.

She points to several online articles that say some banks and other businesses are beginning to look at using information taken from monitoring online activity to assess risk and sometimes gauge a customer's credit worthiness.

"They figure out what are the likely behaviours. If you shop at a certain store where other people who shop have declared bankruptcy you became a higher risk. If you go to certain neighbourhoods, if you live in a certain postal code," she said.

"If you say certain keywords on your social media page — innocent words that you wouldn't think twice about using. The word 'wasted' for example. If that's used on your social media profile, that's a trigger, because it apparently indicates certain risky behaviors."

83% of certain apps can mine online info

Polsky said it's not just banking apps that collect information. She points to a recent study that found 83% of Android apps available in the Google Play store can include "full network-access" permission which allows an app to access whatever network a user's device is connected to.

The amount of information that can be collected differs based on how the app is designed. 

"Apps can gather basically anything that's on your phone or any device your phone is attached to. They can tie into your contact list, the content of your tweets, your email, your texts, your camera, the microphone," Polsky said. 

CBC News Investigates: Stories, videos, photos and more​

Submit your story ideas

Go Public is an investigative news segment on CBC-TV, radio and the web.

We tell your stories and hold the powers that be accountable.

We want to hear from people across the country with stories they want to make public.

Submit your story ideas at Go Public.

Follow @CBCGoPublic on Twitter.