In Washington D.C. last week, I was, like seemingly everyone else around the city, in a rush. My taxi stopped at the station, and I pulled out a bank card to pay. The driver swiped the card through a small device plugged into his phone, and handed me the phone to select my tip.
The screen also asked if I wanted my receipt to be emailed to me. Ordinarily, this isn't something I would do, unnecessarily handing over a piece of information. But in my hurry, rather than messing around with trying to get some sort of paper receipt I typed in my work email address. I received the receipt for the trip shortly after; pretty handy.
I was surprised, however, to automatically get another receipt a couple of days later when I paid for a couple of coffees at another establishment. Then another when I bought breakfast at a third place.
The payment system that the taxi driver and coffee shops used, as many of you have probably already guessed, was Square. Square had now linked my email address to my personal bank card, and, by extension, my spending habits at any retailers that use Square terminals. On top of that, as I found, Square does not make it straightforward to unlink or delete this data, instead it encourages you to simply turn off the receipts (this is, if you even know what Square is).
Do you work at Square? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
With automatic receipts, my employer could now potentially see not just my work related transactions, but personal ones too. So could Google, potentially, as they run the email service itself. This is also another type of data that hackers could then expose if they breached my email, not that my coffee habits are particularly interesting.
But mostly the issue, for me at least, is that I did not provide informed consent to link my email to all of my future Square transactions; if I had known that would have happened, I probably would have acted differently.
I'm not the only one that Square's approach has annoyed. Emily Dreyfuss, writing for WIRED, got "mad as hell" about Square's automatic receipts, and the fact that she then received marketing emails from places she bought things from that used a Square terminal.
After the third receipt, I decided to see how easy it was to have Square unlink my email from my bank card. At the bottom of one of my receipts, I clicked "Manage preferences," which you might expect to be the next best step of unlinking your email. Instead, this only displays options for stopping receipts from that particular retailer, or turning off automatic receipts in general. There is nothing about unlinking your email altogether or getting it completely deleted from Square.
I clicked the "Learn more about digital receipts" option to try and find another way. That page doesn't have a specific section on removing your data. I then found another page with the heading "What if I received a receipt that wasn't meant for me?" which read, "If you'd like to unlink an email address from a payment card for automatic email receipts, you can click Not Your Receipt? at the bottom of your Square receipt or contact us."
That contact us link directs to a web form that is for details on an "Incorrect Receipt." That didn't sound right either, so I found another way to contact Square and describe my request—the Square email address reserved for privacy issues.
I wrote, "I do not want to unsubscribe from Square receipts; instead, I want to unlink my email from my payment card entirely."
Shortly later, a Square customer support representative replied, and provided the same information on how to unsubscribe from automatic receipts.
"You can disable automatic receipts any time," the representative wrote.
Again, I explicitly explained, "I don't only want to stop receiving automatic receipts—I would like Square to unlink this email address from my payment card in its database. Previously when I used a Square payment terminal, Square only had my card details. Now, it has my card details linked to this email address. Please can Square delete this information?"
Here, the representative did help, and asked me to provide some information on a previous transaction in order to identify my payment card. Once I did that, they wrote in an email, "I’ve unlinked the contact information you listed from the payment card in question. The next time this card is used with a Square Seller, you will be prompted to enter your contact information for digital receipts." I confirmed this was the case by buying something from a Square-powered merchant afterwards.
Square confirmed the disabling automatic receipts and unlinking your email address are two separate processes; doing the first won't result in the latter. If you want to unlink your email address from your card, you'll likely have to do something similar to what I did and explicitly ask for it. Square said it doesn't delete the email address; it needs to retain the information for compliance reasons.
A Square spokesperson told Motherboard in an emailed statement, "We let customers know about email marketing and digital receipts when they first enter their email address on the point of sale, and through messages at the top and bottom of all receipts and emails. We are evaluating ways to make our tools even easier to use for both the buyer and seller." The spokesperson did not clarify if after unlinking an email address, whether Square retains that email address in any form.
For a service that is focused on streamlining processes, getting to this stage was laborious and not obvious, though.
Subscribe to our new cybersecurity podcast, CYBER.