Yodlee Responds and Corrects The Wall Street Journal Article
The Wall Street Journal has published a lengthy piece (Provider of Personal Finance Tools Tracks Bank Cards, Sells Data to Investors, by Bradley Hope, 8/6/15) that affirms what Yodlee customers and partners already know: Yodlee is an industry leader in value-enhancing analytic products, and independent auditors and leading academics experts have confirmed we uphold the highest safety, security, and privacy standards in the business. Nevertheless the article contains a number of concerning misapprehensions, insinuations, and omissions.
Yodlee is driven by the conviction that every business, no matter its model, must make advances in data analytics to survive and thrive. And we have for years enabled companies to make better decisions through rigorous, empirical data analysis.
Here are some other key facts you should know about Yodlee, many of which you wont find in the Journal story.
- Yodlee typically receives transaction data elements in a non-identifiable form. As an additional layer of protection, Yodlee employs systems that scrub any data containing personally identifiable information (PII) according to the highest privacy standards and industry best practices. Our data products do not contain PII that identifies unique individuals.
- Yodlee has a very limited number of partnerships with firms to develop more sophisticated analytics solutions. These partners only receive a small, scrubbed, de-identified, and dynamic sample of data to enable trend analysis. Yodlee does not offer, nor do partners receive, raw data.
- Yodlees partners are contractually prohibited from sharing our data, and from even attempting to re-identify its source. They are also bound to maintain our strict legal, technical, and administrative controls that restrict who can access the de-identified data.
- Yodlees partners have no business reason or incentive to re-identify individuals. The Journal presented no evidence that they have violated these restrictions.
- Troublingly, The Wall Street Journal insinuates, by associating Yodlees practices with the results of an MIT study, that it might be possible to re-identify our data. The MIT study is inapplicable here. This is not a matter of opinion, but objective fact, and was explicitly pointed out to The Wall Street Journal both by Yodlee, and data privacy expert Professor Peter Swire, who informed the Journal, My view is that the studys results do not apply to the Yodlee facts. The MIT study was simply anonymized, in contrast to the multiple layers of technical protections that Yodlee applies. The MIT study did not apply to organizations that have made contractual commitments not to try to re-identify data, and so would be subject to legal enforcement even for attempting to re-identify individuals. The Yodlee data is kept behind a firewall, and no one can re-identify data that they cant even access. The combination of technical and organizational controls that Yodlee deploys thus, in my view, means that the results in the MIT study do not apply to Yodlees facts.
- The Wall Street Journal provided no evidence or study showing it is possible for Yodlees data productswhich are protected, non-public, and scrubbedto re-identify individuals. Independent auditors at Privacy Analytics, a leading firm advising companies on maintaining the privacy of the most sensitive kinds of data, including medical records, have confirmed that Yodlees practices meet the highest standards of safety and privacy. Leading academic experts, including Professor Swire, along with Professor Annie Anton of Georgia Tech, also confirm that Yodlee meets or exceeds all federally prescribed standards and best practices. These include ensuring that transaction elements are not reasonably identifiable and committing that neither we nor our partners will use transaction elements to attempt to re-identify individuals. Weve included statements from Professor Anton and Professor Swire below, and these statements were also provided to The Wall Street Journal. But the Journal elected to omit them in their entirety, and the story includes only a brief quote from Swire.
Our view is that, despite weeks of good-faith interaction in which we repeatedly tried to educate and elucidate the Journal on our business practices, this story fails to meet basic journalistic standards by omitting key facts and relying on insinuation to give readers a limited and distorted view of our business.
The overriding question, today and tomorrow, is not whether businesses will need to leverage data to succeedthey willbut whether they can do it intelligently, securely, and in a way that does everything possible to protect privacy. Yodlee is an industry leader at doing just that, and we will continue to uphold the highest industry standards as we compete, grow, and innovate.
* * *
“Yodlee’s practices fundamentally differ from the re-identification reports in the academic literature. Those studies have gone after databases posted on the public Internet, so that researchers could try numerous technical means to seek to uncover one or a limited number of names in a large dataset. By contrast, Yodlee’s data is protected behind firewalls and other technical and administrative controls. An attacker would first need to breach the database, and then also crack data that is extremely well protected. This combination of strong technical and administrative controls is exactly what regulators have recommended to responsible companies. So this is a story about what companies are supposed to be doing with individuals’ data.”
“My view is that the study’s results do not apply to the Yodlee facts. The MIT study was “simply” anonymized, in contrast to the multiple layers of technical protections that Yodlee applies. The MIT study did not apply to organizations that have made contractual commitments not to try to re-identify data, and so would be subject to legal enforcement even for attempting to re-identify individuals. The Yodlee data is kept behind a firewall, and no one can re-identify data that they can’t even access. The combination of technical and organizational controls that Yodlee deploys thus, in my view, means that the results in the MIT study do not apply to Yodlee’s facts.”
—Professor Peter Swire, Professor of Law and Ethics, Georgia Tech; Former Chief Counselor for Privacy, US Office of Management and Budget (OMB); member, White House Review Group on Intelligence and Communications Technology.
“As a software engineer, I know that it is essential to have a comprehensive system in place to control data privacy and security when it enters an organization, during its handling, and when it leaves. Yodlee has done impressive work in engineering its data systems accordingly.”
—Professor Annie Anton, Professor and Chair, School of Interactive Computing, Georgia Tech; Founder and Director: ThePrivacyPlace.org; Former member, Department of Homeland Security Data Privacy and Integrity Advisory Committee
Yodlee is now a part of Envestnet – Together we accelerate the transformation of financial technology.