Search history can calculate better credit ratings than pay slips, says International Monetary Fund Your web search history plus records of the browser and device you use to make those searches could enable financial institutions to calculate you a more accurate credit rating than traditional methods, according to the International Monetary Fund (IMF). And the global finance organisation says the ability to use those records …
Because they don't want to?
Because they haven't got a pot to p**s in?
In the UK the banking industry has persistently cut branches (in places they don't make enough profit) while telling the relevant HoC that relaxing rules on credit unions (that have tighter joining rules than banks) are a Bad Thing.
The best thing that could happen is to treat banks like any other business. They f**k up, they go bankrupt. I'm sick and tired of their "But we're speeeeeeeecial" schtick.
> I guess if "how to defraud the bank" is one of the search questions then you've failed.
Had to try it. One interesting result popped up: https://www.investopedia.com/articles/pf/08/avoid-atm-scams-atm-fraud.asp.
>>alternative data sources are often superior than traditional credit assessment methods
I don't think that is saying much.
30 years ago I took out my one and only loan, to buy a new truck.
Even though I had a steady job, owned a house and had plenty of money on hand, it was difficult to get that loan, due to no lending history.
I realize credit may be necessary but... I prefer to accumulate funds and pay as I go.
I believe credit rating is overrated and I'm not a big fan of credit anyway.
Here in the US, I have the feeling people are trained from an early age that going into debt is a good thing.
Yes exactly.
One of those "Study shows that Bears tend to defecate in foliated areas, Pope confesses that he is a Catholic" articles.
Who'd have thought that a handful of regulated data on a person's financial transactions on a report output by a database written in COBOL in 1985, are less useful a predictor of this person's future financial solvency, than unregulated billions of data points about that person's everyday life, their romantic, erotic, gambling, purchasing habits, innermost thoughts, worries and secrets, the YouTube videos they watch, the friends they keep, the car they want, the holiday they are planning, the company they keep, and the Company they work for.
Primary device - older Firefox on Android (with paranoid blocking).
Secondary device - NetSurf on RISC OS.
Tertiary device - even older Firefox on XP (it's a rescued box for when I need Windows, never saw the point of upgrading to anything newer).
Search history? I'm playing about with something in TurboC right now "for the hell of it" so various searches related to nerdy crap like DOS int calls and which port to fiddle with to detect VSync.
I read The Register, The Guardian, and xkcd.
I'm not employed in IT. I do this for amusement (so don't bother telling me TurboC is a billion years out of date, I'm aware of that, but for something to run on 16 bit DOS, it's just the ticket).
And my credit rating is: FAIL, get a life.
Wow, TurboC! I never gave that a try. I did try my hand at some TurboAssembler - alas I think I threw the boxes out a few years back. Those were simpler times (programming-wise), not too many registers to worry about, direct memory access to stuff - but there are certain aspects I don't miss, like fine-tuning the autoexec.bat file to free up memory for certain games but load drivers for input devices for other games. I wrote some "startup menu" thingy so you could select which one to run - beats having four boot floppies sitting around and getting lost, or just slowly wearing out. Ooh, and configuring any hardware (before Plug'n'Pray), carefully selecting interupts and addresses. And ad-hoc-networking, via serial or parallel ports (I did fry one or the other...). Printer setup - with printer cables that had those dip switches in them. And no internet to search for the answers to those problems.
Good old times? Bah, humbug! Summers were scorching, the wasps were more agressive and the schools' caretakers were sadistic old buggers - in other word: hairy green things from AZ were really hairy green things from AZ.
It's utterly pointless. In another forum in another place, somebody gave a "friend of a friend" quote to make a clone of the RISC OS UI running under FreeDOS (why? long story) of 3000 hours at $125 per hour. Quick calculation puts that at a little under two years full time and a third of a million dollars. Which is obviously bullshit for something that can't actually work and will just lookee-likee.
So I'm having a crack at writing a copy of the Arthur desktop pretty much for the hell of it. Never written a WindowManager before, and doing it from the ground up is insane, but it's an interesting exercise in discovering solutions to stuff that I've never really considered before. Only spent a few hours on it, but it can draw basic windows and move them around the screen with the mouse dragging either the title bar or the resize button. So, it's coming along.
I'll be honest though, I've cloned the necessary parts of the BGI library so I can write the code under RISC OS, then just build the DOS version from that with DOSbox.
Still, it's something to do that keeps me away from Netflix and a large tub of chocolates...
There is so much wrong with this that it's hard to come up with a succinct comment to reflect how I feel about it.
Clearly (especially with the idea of integrating with facebook etc) they are pushing for a world where you must fully expose your digital life to the financial institutions if you want to use their services.
That's me fucked then. I rarely use search for anything of interest to them and am the sort who minimises exposure of information about myself and my financial doings.
They're never going to learn enough about me for their 'AI' to even recognise me as a person, let alone work out how good a financial risk I am.
But then, I'm an old fart and they're probably expecting Covid-19 to take care of me.
I've got one : bullshit.
You're going to establish my credit rating on what I've searched for ? So if I search Ferrari I'm going to get a good rating, and if I search Ford Metro I'll get a bad one ?
How's about basing your evaluation on what I've actually purchased ?
This is just one more excuse to fleece me of my private life.
Go to Hell.
Searching for/buying expensive toys like Ferrari doesn't mean you will have a good credit rating. People rich enough to buy something like that probably have a crappy credit rating, because they pay cash for their purchases and don't have car or mortgage payments and thus no credit history at all.
LOL, do yo believe they enter a Ferrari reseller with a suitcase full of money? Some dodgy types would do it, others will simply tell their accountants or assistants to transfer the money. And those are not the people credit ratings are used for - which sometimes let them pretend to have the money and leave huge debts behind.
That's a common mistake. Rich people don't have less debt, they have cheaper debt.
Paying for things using your own capital is madness. You're better off borrowing cheap money and paying it off using the high interest you're accruing.
Rich people don't burn capital, they get richer specifically because of that.
Only poor people use their own capital.
Well I happen to know a few "rich" people. The one I know best as I've known him since high school is probably worth $20 to $40 million - I'm not exactly sure but he makes about a million a year and has for over a decade (and high but not quite so high amounts before that)
He buys everything with cash. By "cash" I don't mean a suitcase full of bills, obviously. He writes a check or uses a debit/credit card. He's always said he "hates debt" and even bought his current home with cash, no mortgage.
Obviously it depends on the person, and some might try to leverage every dollar by borrowing when they can. But that's a bad assumption to make, and the richer you are the less it is even worth bothering with something like a car loan even if you are buying a million dollar car.
Or preferably, what you have actually paid after having purchased it?
I guess the hardware you use and what you look for may discover a lot of people who are very able to gamble the system by not paying what they purchase, purchase from dodgy outlets, or avoid taxes...
> You're going to establish my credit rating on what I've searched for ? So if I search Ferrari I'm going to get a good rating, and if I search Ford Metro I'll get a bad one ?
If you set your sights so low that your preferred car is some mutant offspring combination of a Ford Mondeo and an Austin Metro then you deserve the credit rating you get.
Isn't the solution obvious? Buy my super AI web search spoofer that pretends to be a rich twit reading fashionable sites on Safari. After a couple of weeks your credit rating will be AAAAAAA+++. Purchase today for a 10% discount. If you have already purchased you can upgrade to the enterprise version - with blockchain!
I was embarrassingly turned down for a mobile phone purchase after an in store check. No reason given, but after some research it turned out to be because I had never borrowed money (I had a credit card linked to my wife's name although it was paid off via our joint account). I would have purchased a phone outright but at the time a contract was the best deal.
So I ended up getting my own credit card, buying a few random items and a year later I have "good credit" rating. Flawed as it is, at least the current system has some transparency if you use the relevant online credit check services (under EU rules the data on you must be free to access). I suspect browser history would be very opaque. "Our AI system says you are a bad bet but we have know idea why and there's nothing you can do about it."
"So I ended up getting my own credit card, buying a few random items and a year later I have "good credit" rating."
Yes, it's weird but true. If you don't use credit, then your credit rating is zilch. They want proof you can pay off debt before they allow you to accrue debt. It's a bit of a catch 22. I've had no debt for over 20 years now so my credit rating, like yours, will be at the bottom of the scale if I ever try to get credit.
On the other hand, utilities are paid in arrears and so they are credit (or debt) and should be easy enough to account for by the credit reference agencies. Gas, electric, water and telecoms/broadband are all essentially the same as paying off a monthly credit card balance.
Utilities paid in arrears? Where have you been!
The utilities in the UK have been pushing payment by monthly direct debit for a couple of decades now, and you can guarantee that they will arrange to 'accidentally' keep most accounts in credit (i.e. you've paid more money up front than you owe).
They've now been penalizing customers who either want to pay quarterly in arrears, or pay by methods other than direct debit. This is either by a surcharge, or more cynically by offering a 'discount' to people who par by monthly direct debit.
I'd love Offgem or someone similar to estimate how much the utilities make in interest, or even save on money they don't have to borrow from all of the couple of hundred quid they have in up-front payments from their millions of customers.
Non users of septic media are thus potentially sidelined in future, that's kinda scary. Then there's this quote
“Governments should follow and carefully support the technological transition in finance. It is important to adjust policies accordingly and stay ahead of the curve.”
The very thought that *any* government could 'stay ahead of the curve' is just so funny.
Icon, the consequence of the level of horror and humour colliding
Well, as people should know, even in private browsing mode, your network use is known by your ISP and your favorite search engine - if you are using Google, it can be scary to look at your history and see what you were looking up 10 or so years ago, as the Chocolate Factory certainly has this data squirreled away somewhere.
So, Lock Picking Lawyer, EURIon constellations, muzzle velocity, making black powder using bishop's urine, atomic bomb assembly, Freeman Dyson & design of chemical weapons.... Not only am I probably already on a ton of watchlists, but I would guess that this would preclude me totally from any loan as a danger to humanity!!!
@bpdh "Not only am I probably already on a ton of watchlists, but I would guess that this would preclude me totally from any loan as a danger to humanity!!!"
That depends. Are you: White ethnicity, Male, Middle Class, Western?
Then congratulations, Sir, you have 'won' life, especially if you also count as 'Christian'. Have a loan*, only 3976% apr.
*Subject to terms and conditions: Your home, vehicle, entire personal history on planet earth, life partner, body parts and/or children may be used as collateral or payment in case of default of payments. APR may go up as well as up. This agreement may be terminated by us in writing to you at your address (but not by you). Thank you for your interest in our products, please feel free to recommend us to other schmucks.
A greater compilation of idiocy, I have not seen in some time.
We already have an enormous ecosystem of advertising fraud based on bots. These bots build their user profiles precisely through mimicking "good" customer profiles via prime web site visits in order to parlay themselves into good advertising subjects - then go on to harvest ads.
These numbskulls in the IMF are proposing to use DoubleClick/Facebook Pixel type data gathering so that these same fraud gangs can now directly open credit cards and bank accounts.
-10 points for blatantly repurposing an existing business practice as "original research"
-20 points for failing to consider the myriad ways by which their already plagiarized proposal can be abused
Scary proposition. But stay tuned because without clear data privacy laws, this will not be the the last you've heard of someone suggesting that turning over your search history will get you something you want or need.
That said, I don't think it's quite as black and white as others are suggesting. The specifics in your search history are likely not the issue. It's the overall searches that reveal who we really are. I don't dare to look at my history. Not that it's scary, but because I don't want to be less likely to seek information that I need because of the concern for how it might look at some point in the future when this becomes commonplace. I already do this with facebook. I think about every click and every pause in the scroll.
And if you think this won't become commonplace without clear data privacy laws, think about how many of us (I know there are plenty of individuals.. many of whom comment here frequently.. who don't fit this) have changed our tune about location tracking over the last decade. "I'd never let an app know where I am." was me 10 years ago. 5 years ago: "Does it benefit me enough to give away my location, and/or do I trust the developer enough?" Now: "Is this a super sketchy app or not?"
The IMF floating this idea is what concerns me the most. It will provide legitimacy for exposing us at a very intimate level (and I'm not even talking about pr0n).
I'm sorry to say but your search history is already turned over.
The only question is to how many.
The browsers do it. The forwarding links do it. The ISPs do it. Even the web sites do it.
If I can tell your search history just by forensically analyzing your computer, it means the OS can do it too. Ditto any other software or web app which operates on the same computer.
For now, they know:
1. The DNS queries for the specific domain and all the domains it pulls in. Until DoT or DoH, they'll keep having that.
2. The SNI requests which contain the domain name and the first page URL you request. If you type in a domain name, they get it and "/". If you click a link from a search engine, they get the whole thing. Until ESNI or one of the other suggestions takes effect, that will be available to them.
3. The destination IP. This may be a CDN, but not always. Plenty of people use a server dedicated to network requests which makes it obvious who runs it. Others will run multiple sites on a single server but not on all the other servers, meaning that only that server needs to be interrogated to figure out what the possibilities are.
4. The size and timing of requests. They probably don't go this far, but if they have a server to test, they can try certain likely pages until they identify the one requiring the right number of assets from the right locations. Sites that bring in images and scripts can fingerprint themselves in that way.
The above is one of the most best explanations of how real world traffic analysis is done I've seen in years. Throw in some well known network security tools that have been around for many years and one can even automate #4. The larger the ISP, the fewer original requests they have to make because they can build up a profile for comparison.
OCSP checks will still be carried out in the clear, giving away the likely domain names of the sites you visit when a certificate revocation check is performed. In the case of Cloudflare, you might have a situation where the cert has many domains associated with it but that won’t stop ISPs from correlating traffic.
There is no privacy on the public Internet, just like in the public commons in real life.
> The SNI requests which contain the domain name and the first page URL you request.
That's incorrect. Path information is not included in SNI. They get the domain name (assuming no eSNI) that's it.
4. is well, well beyond the lengths ISPs will go to. Technically feasible isn't enough, it has to be (perceived to be) cost-effective.
They also won't bother "interrogating" destination IPs to try and see what they host. Even if they were willing to go to those lengths, its the wrong way to go around it (far easier to check their own DNS logs and see what names resolve to those IPs - even if *you* use DoH, there's a good chance there are other users of that service who don't)
Well spotted. I wasn't very familiar with SNI's details and got that wrong. Thanks for the correction.
A few other methods of identifying a site I didn't think about last time include checking for differences in transfer sizes that might be connected to cookie usage, tracking frequency of requests to identify how much active content is on the page being accessed, checking packet latency and overall transfer speed to get information about the server and whether it's under load or not (this may make it easier to identify), or cross-referencing with other users' traffic which may be less secured.
Out of curiosity, I dove headfirst down the rabbit hole to understand the stench of waffle this working paper is based on.
Following the links and quotations, I end up on a German Bank research paper using customer mobile phone info from their digital banking portal, to decide how to speed up online loans and avoid risk:
-iOS users far lower risk, specifically compared to Samsung mobile owners
-Users with their full or partial name in their email address and/or business name are consistently lower risk (free and crap email providers are a bad sign, it specifically mentions Yahoo accounts as a bad indicator)
-Customers who arrived at the bank website via searching on a price comparison site are lower risk
-Customers who arrived at the bank website via clicking on paid ads are higher risk
-Users with high qty of spelling mistakes and ALL CAPS in loan applications are bad news for risk
-People who buy things online 11am-6pm are lower risk than people who buy things 11pm to 6am
End result: using the above metrics was 5-10% more reliable at judging credit risk, compared to their legacy in-branch credit risk scoring.
It doesn't appear to mention your Google Search history or Facebook posts at all - Clickbait? IMF future waffling?
Very interesting, thanks for checking up on this. In particular, I found the spelling mistakes and capitals item very interesting:
"-Users with high qty of spelling mistakes and ALL CAPS in loan applications are bad news for risk"
So how did Donald Trump WHO NOTORIOUSLY TWEETS IN CRAPITALS [sic] get to have loans of around US$400million? Did Mealnia fill out the forms for him?
iOS users far lower risk, specifically compared to Samsung mobile owners
I kind of understand why they favour Apple owners, but what's with Samsung? As opposed to, say, somebody with a lower end phone or Huawei or something?
Users with their full or partial name in their email address and/or business name are consistently lower risk (free and crap email providers are a bad sign, it specifically mentions Yahoo accounts as a bad indicator)
Oh dear. They get my Yahoo address specifically because it's easy to set up (and remove) disposable addresses. Oh, wait, you think I'm going to be handing out my private email address? Did that when the web was young, got burned when the autospam came along. Now my private address is exactly that, private.
Customers who arrived at the bank website via searching on a price comparison site are lower risk Customers who arrived at the bank website via clicking on paid ads are higher risk
Says all you need to know about the value of advertising there, doesn't it? How about arriving at the site by looking it up on Google?
Users with high qty of spelling mistakes and ALL CAPS in loan applications are bad news for risk
Yeh. Oi kun unnerstan dat.
People who buy things online 11am-6pm are lower risk than people who buy things 11pm to 6am
What about 6pm to 11pm? Because, you know, some of us have to go to work. But, sure, buying something at 5am does rather scream of "tail end of a late night gaming session at 'my place'" (translation: basement of parents house).
It'd be interesting to break down high end vs low end Samsung's.
Personally I hate Samsung phones and won't buy them (full of bloatware and Facebook unremovable). Several tech friends agree, so perhaps it's a sign the user can't afford iPhone but also lacks technical IT skills? Or maybe it's just a relative comparison to iPhone.
Buying an equivalent flagship Samsung phone which only has 24 months of updates for £200 less than the shiny iDevice with 5 years of updates means said individual is wasteful and/or impulsive. It’s just a shame they can’t detect and reward £80 Nokia Android users, who get 3 years of security updates (and complimentary warranty), bringing the cost of ownership down to a point where there is no decent competition.
I am waiting for the day I can add a simple mobile telephony baseband to a Windows desktop to handle SMS/Calls. Linux has the ability to do it (clearly) but I don’t want to have to virtualise a solution if I can avoid it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
