If the product is free, you are the product
A commonly repeated phrase stated by many when talks of privacy and software come about. And to be fair, there aren't many instances where the person saying that is wrong. However, this often leads to an unintended, maybe even subconscious, assumption that can be detrimental.
Since I'm paying for the product, I have nothing to worry about
On the surface, I could see how this passes the eyeball test. After all, we're giving them money which means they don't need to collect all kinds of data to share or sell, right?
Everyone already knows that Microsoft, Apple, Google, Facebook, Amazon are all looking to get a piece of our data pie, so let's talk about an example that isn't related to any of them but still fairly popular that an everyday person would know about. Let's talk about the incredibly popular budgeting software/service, You Need A Budget.
They currently charge just shy of $90 per year, or about ~$7/mo, to allow us to use their software and services. You'd think it would be safe to assume that since we're paying them almost $100 a year that our data stays in their loving hands, right?
We do not sell users’ data. (And we never have!)
This is good, no, great news! The last thing we want to see is a company selling the data of its users, especially when it comes to finances. Let's keep reading.
To contractors, service providers, and other third parties we use to support our business, in particular providing infrastructure and analytics services, and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
With respect to aggregating your banking and other financial accounts, we will transmit your account credentials to third-party aggregation partners, who will use them to gather and maintain your account balances, transactions, and holdings used to provide our services.
To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal information held by us about our Website users is among the assets transferred.
To fulfill the purpose for which you provide it.
In aggregated form, and/or information that does not identify any individual.
For any other purpose disclosed by us when you provide the information.
With your consent.
So, just because they aren't selling our data doesn't mean they aren't sharing it. We're giving them access to all of our sensitive financial information yet some or all of it ends up in the hands of third parties and analytic companies. To make matters worse, YNAB and its employees can access our accounts and view all of the data and information we've provided at any time they want to. Take a peek.
The YNAB Team does not access or interact with customers’ budget data as part of normal operations. There are cases where a customer requests that YNAB access their budget, or where required by law. All budget data is access-controlled, accompanied by customer approval, and carries with it documentation surrounding the reason for access and the access start and end time. A YNAB Team member’s violation of our customer data access policy will result in immediate dismissal.
They try to reassure us by saying they'll fire anyone on the spot who accesses our data without our consent but those promises hold little value. The point is they can still access it and who knows for how long or how many times before they're caught, if they ever are.
This isn't uncharted waters or tin foil hat territory either. A damning report on SnapChat came out regarding employees accessing user information.
Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses.
They aren't the only ones caught with their pants down either. Uber was seen doing something similar.
Uber employees regularly abused the company’s “God view” to spy on the movements of “high-profile politicians, celebrities and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses”, according to testimony from the company’s former forensic investigator Samuel Ward Spangenberg. Even Beyoncé’s account was monitored, the investigator said.
When asked if staffers, ranging from core team members to customer service reps, abused this privilege, the source said “Hell yes. I definitely looked at my friends’ rider history and looked at what drivers said about them. I never got in trouble.” Another supposed employee anonymously reported on workplace app Blind that staffers had access to this private information and that the access was abused.
Our source says that the data insights tool logs all usage, so staffers were warned by their peers to be careful when accessing it surreptitiously. For example, some thought that repeatedly searching for the same person might get noticed. But despite Lyft logging the access, enforcement was weak, so team members still abused it.
You Need A Budget is merely one of many companies who still collect and share information even though they're handed our cold, hard cash. This is a friendly reminder to always check all the services you use regardless if it costs money or not.
Side note: In case you're curious about YNAB alternatives that are better for your privacy, here's a few recommendation. I will say, some of these choices won't have fancy graphics or flashy animations and are gear more towards utility.
If you're into self hosting for full control Firefly III is tough to beat.
There's also nothing wrong with a simple spreadsheet or good old fashioned pen and paper.
Want to join the discussion? Check out this post, and others, over at the CupWire subreddit and leave a comment.