PayPal: Data transfer to over 600 third-party companies + metadata

If you are a PayPal customer, you should know this: With every transaction via PayPal, there is a possibility that your (personally identifiable) data will be “shared” with up to 600 third-party providers.

Don’t believe it? Then take a look at this gigantic list which has been in force since January 1, 2018. I went over it with a grep and counted over 600 third-party providers. In the column on the far right (Data Disclosed), you can also see what data is involved:

  • name
  • address
  • email address
  • telephone number
  • country of residence/business
  • details of user funding instruments
  • details of payment transactions
  • user’s bank account information
  • all account information except details of user financial instruments
  • all account information and IP address

If you care about data protection and you (still) use PayPal, then you should know what to do…


This metadata is permanently collected by PayPal which PayPal permanently collects from the device and transmits to the address

additionalData={
    “app_guid": ‘4e1ad8ed-6dcb-4657-82ee-19c79d3a0071’, // Unique identifier of the app
    “app_id": ‘com.paypal.android.p2pmobile’, // Application ID
    “android_id": ‘edaa7add7a316385’, // Android device ID
    “app_version": ‘8.64.1’, // Version of the app
    “app_first_install_time":1719478473811, // Timestamp of the first installation of the app
    “app_last_update_time":1719478473811, // Timestamp of the last update of the app
    “conf_url": ‘https:\/\/www.paypalobjects.com\/rdaAssets\/magnes\/magnes_android_rec_v6.json’, // Configuration URL
    “comp_version": ‘6.6.4.release’, // Component version
    “device_model": ‘Pixel 6a’, // device model
    “device_name": ‘bluejay’, // Code name of the device
    “gsf_id": ‘36b9af6122a90c7c’, // Google Services Framework ID
    “is_emulator":false, // Boolean value indicating whether the device is an emulator
    “ef": ‘00000’, // Error flag
    “is_rooted":true, // Boolean value indicating whether the device is rooted
    “rf": ‘0000101’, // Root flag
    “os_type": ‘Android’, // Operating system type
    “os_version": ‘14’, // operating system version
    “payload_type": ‘full’, // Type of payload
    “sms_enabled":true, // Boolean value indicating whether SMS is enabled
    “mac_addrs": ‘02:00:00:00:00:00:00’, // MAC address of the device
    “magnes_guid“:{”id": ‘2b306d1d-1a00-4b7e-b161-fabbaed15982’, ‘created_at’:1719478557897}, // Magnes GUID and creation timestamp
    “magnes_source":10, // Magnes source identifier
    “source_app_version": ‘8.64.1’, // Version of the source app
    “total_storage_space":118396899328, // Total storage space in bytes
    “nc":[101], // network conditions (specific meaning unknown)
    “screen":{
        “width":1080, // Screen width in pixels
        “height":2400, // Screen height in pixels
        “density":2.625, // screen density
        “densityDpi":420, // screen density in DPI
        “scale":2.625, // Screen scale
        “xdpi":428.625, // X DPI
        “ydpi":429.295, // Y DPI
        “brightness":34 // Screen brightness
    },
    “cpu":{
        “cores":8, // Number of CPU cores
        “maxFreq":2802000, // Maximum CPU frequency in Hz
        “minFreq":300000 // Minimum CPU frequency in Hz
    },
    “disk":{
        “total":118396899328, // Total disk space in bytes
        “total_sd":-400, // Total SD card memory (negative means not available)
        “mounted":false, // Boolean value indicating whether the hard disk is mounted
        “free":108418330624, // Free storage space in bytes
        “free_sd":-400 // Free SD card memory (negative means not available)
    },
    “system":{
        “version": ‘Linux 5.10.177-android13-4-00003-ga7208022a7ea-ab10815828’, // System version
        “board": ‘bluejay’, // board name
        “bootloader": ‘bluejay-1.3-10825045’, // Bootloader version
        “cpu_abi1": ‘arm64-v8a’, // CPU ABI
        “display": ‘UQ1A.231205.015’, // Display ID
        “radio“:”g5123b-125137-231014-B-10950115”, // Funkgerät-Version
        “fingerprint": ‘google\/bluejay\/bluejay:14\/UQ1A.231205.015\/11084887:user\/release-keys’, // device fingerprint
        “hardware": ‘bluejay’, // Hardware
        “manufacturer": ‘Google’, // Manufacturer
        “product": ‘bluejay’, // product name
        “time":1699658047000, // System timestamp
        “system_type": ‘aarch64’ // System type
    },
    “user_agent":{
        “dua": ‘Mozilla\/5.0 (Linux; Android 14; Pixel 6a Build\/UQ1A.231205.015; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/125.0.6422.165 Mobile Safari\/537.36’ // user agent string
    },
    “t":true, // Boolean value (meaning unknown)
    “pairing_id“:”419840a0f5c749fdb7b025bcf032415f”, // Pairing-ID
    “bssid": ‘02:00:00:00:00:00:00’, // Base station ID
    “conn_type": ‘WIFI’, // Connection type
    “conf_version": ‘6.0’, // Configuration version
    “dmo":true, // Boolean value (meaning unknown)
    “dc_id“:”dcff6dfd1fd047c80ecc91cfd2bf3f1d”, // Datenzentren-ID
    “device_uptime":2140610, // Operating time of the device
    “ip_addrs": ‘192.168.25.5’, // IP address
    “ip_addresses“:[”192.168.25.5"], // List of IP addresses
    “locale_country": ‘DE’, // Country code of the region
    “locale_lang": ‘de’, // Language code of the region
    “phone_type": ‘gsm’, // Phone type
    “risk_comp_session_id": ‘c550787e-0d1a-4418-b047-adb3d701d55a’, // Session ID for risk components
    “roaming":false, // Boolean value indicating whether the device is roaming
    “sim_operator_name": ‘Vodafone’, // Name of the SIM operator
    “ssid“:””, // SSID of the network
    “timestamp":1719478611096, // timestamp
    “tz_name": ‘Central European Summer Time’, // time zone name
    “ds":true, // Boolean value (meaning unknown)
    “tz":7200000, // Time zone in milliseconds
    “network_operator“:””, // Network operator
    “proxy_setting“:”host=192.168.25.50,port=8080”, // Proxy-Einstellungen
    “c": ‘3’, // (meaning unknown)
    “mg_id": ‘aa5b6622a64c18dac9ef614cc7cdc16c’, // Magnes ID
    “pl": ‘001100’, // (meaning unknown)
	“battery":{
        “temp":313, // battery temperature
        “voltage":4070, // Battery voltage
        “state":3, // Battery status
        “method":0, // Charging method
        “level“:”,75”, // Battery charge level
        “current":-327500, // Amperage
        “low_power":0 // Boolean value indicating whether the device is in energy-saving mode
    },
    “memory":{
        “free_runtime":19356800, // Free runtime memory in bytes
        “max_runtime":536870912, // Maximum runtime memory in bytes
        “total_runtime":67129920, // Total runtime memory in bytes
        “free":2052288512, // Free memory in bytes
        “total":5876191232 // Total memory in bytes
    },
    “sr":{
        “ac":true, // Boolean value indicating whether the acceleration sensor is activated
        “gy":true, // Boolean value indicating whether the gyroscope is activated
        “mg":true // Boolean value indicating whether the magnetometer is activated
    }
}
&appGuid=4e1ad8ed-6dcb-4657-82ee-19c79d3a0071&libraryVersion=Dyson/6.6.4.RELEASE (ANDROID 14)

The sensor data from the built-in acceleration sensors (LSM6DSR) is also transmitted continuously:

{
  “pairing_id": ‘d2821de690344762875000a193113e6c’,
  “s": [
    {
      “n": ‘LSM6DSR Accelerometer’,
      “v": ‘STMicro’,
      “pwr": ‘0.00100000’,
      “ver": ‘1’,
      “re": ‘0.00478565’,
      “mr": ‘156,90640259’,
      “mec": ‘3000’,
      “t": ‘ac’,
      “p": [
        [“-0.9541380405426025”, “4.357928276062012”, “8.341978073120117”, “1719479674179”],
        [“-1.1892328262329102”, “4.594817638397217”, “8.519046783447266”, “1719479674220”],
        [“-0.8536394834518433”, “4.4033918380737305”, “8.279764175415039”, “1719479674265”]
      ]
    }
  ]

Example:

-0.9541380405426025: The acceleration in the X direction (horizontal, left-right).
4.357928276062012: The acceleration in the Y direction (vertical, down-up).
8.341978073120117: The acceleration in the Z direction (forwards-backwards).

(c) Source : kuketz-blog.de

9 Likes

I deleted my mostly unused account when they announced these changes (although they were selling my info even before that, I imagine, even with the opt-outs I had enabled).

For those who intend to keep their accounts, this might help: PayPal wants to share your data – unless you do this | TechRadar

I wonder how people without an account who are forced to use PayPal in online checkout can protect themselves…?

7 Likes

Thanks for this!

…I’m sure those are little more than placebo switches at this point, but I’m grateful to know where they are so I can show a bit of effort.

Unfortunately, I think it’s going to be almost impossible for there to be some sort of privacy-centric version of Paypal. If it successfully keeps things private, it’s going to be a magnet for Silk Road transactions and money laundering an all of those other things no financial provider wants to be associated with. Peer-to-peer solutions have also shown to be difficult to use in this context (love or loathe Bitcoin or Ethereum, out of 1,000 people, how many would be able to accept cryptocurrency as repayment for lunch?), and pretty much every alternative to these services (Venmo, Cashapp, Zelle, etc.) is just Paypal with a new coat of paint.

Unless we’re paying everything with cash (not a bad idea, ultimately), at some point, financial transactions involve a number of people knowing a name and address, some we know, some we don’t. My Paypal account is too old for closing it to matter, so…while I’m open to a solution, I haven’t found one that solves problems, rather than trading them.