Maker of the site here! Our servers don't touch any of this data, it goes straight to Very Good Security and lives in a PCI compliant vault ... We ourselves are building a new kind of bank so we take security very seriously and are not phishing.
Happy to talk through in more details but the FAQs do a pretty good job of that too!
As they mentioned checkout the FAQ where it outlines that process under the aptly named, "How does this site work?" and they also offer a template for you to mail yourself if your prefer.
With a better understanding of how VGS works I really just fall back to my weakest link in the chain questions:
Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI?
Does Lob provide any interface that shows sent mail and the content (it appears they do)? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token?
What stops you from scraping this data from Lob's API?
---
Original comment below.
I'm confused on how this data lands at Lob with an account number if you never get it.
Correct me if I'm wrong but the letter you send includes the account number and not the VGS token?
All of my following questions assumes an affirmative answer.
How is the account number landed in Lob? It appears something must be calling the Lob API with an unencrypted account number? What is making that call?
Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI?
Does Lob provide any interface that shows sent mail and the content? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token?
We do link to our site on the top and I can talk about this ad nauseam but suffice it to say we have a plan to build an (actual) bank from the ground up and we're trying align our incentives with the customers by doing things like paying customers higher interest rates for saving more instead of spending more etc.
tbh I'm not trying to use this as a platform for advertising but I'm happy to chat if you want to email me. zach [at] hmbradley.com
I wrote to Chase on their 'secure message portal', which feels like it is straight out of 1995. I told them I'm out of the country and cannot send mail.
I told them that I am rejecting the agreement to arbitrate. I also said that since their message portal feels official, this would be what I would use as proof of my opt out in court, if the need arises. I saved some screenshots as well.
They have updated me once already to say that they are still working on a response.
Again, I wish we did not have to do this but this is what Chase is forcing customers to do.
We also give customers a way to just download the form without giving us the info but then of course we can't mail it for them ... we were just trying to make this easier for customers to opt out with the shitty options we were given
Maybe an option would be a client-side only version of this form that onsubmit simply renders a PDF...then users could choose to mail or upload said PDF? (Double-sided for the address bit in a clear envelope window)
Good on you guys for making the thing and showing some effort, wasn't aware of their opt-out policy.
I mean, I believe this is well-intended but Chase is not forcing anyone to to enter their banking info into some random site on the internet. That's something you're asking and, at first glance, it seems completely bonkers.
Can you make the link for the download more obvious and less dark-pattern-y? I found it only after scouring the page (somehow the text under the form didn't catch my eye easily), and then it popped up a modal that unnecessarily asks for my email address. I closed it, annoyed, just barely noticing the small-font link to download without entering my email address.
If you actually care about privacy and claim to not be using or selling our information for anything, why don't you make it easier to avoid giving information entirely?
Having said that, thank you for creating this. I had left Chase's email about the terms change in my inbox, starred, so I'd remember to take care of this, but not having to formulate my own letter makes things so much easier.
>If you actually care about privacy and claim to not be using or selling our information for anything, why don't you make it easier to avoid giving information entirely?
Hmm, I don't see it that way. It seems like people are learning about the chase issue for the first time through this website. Ideally you'd have another website/article informing you about the issue, and then a link to this website for sending the letter. And so it would be weird to go to a website designed to send a letter, and be told that you can also not send the letter through the website...
They also provide a form for you to mail yourself and looks like they are only asking for info that Chase requests (chase does not require a social so that wouldn't be on this =).
I was surprised when I received the letter explaining this from Chase. I made a mental note to write them a letter and opt-out, which I had immediately forgotten about until now. Thanks to the creators of the site.
Here from myradvocate.com, which is partnering on this project with Zach / HM Bradley. We're psyched for this to go live.
We track news about arbitration pretty closely, and I've been surprised and impressed by how much this Chase issue has "broken through." I no joke overheard a random convo about it on BART on Sunday.
So few will opt out, Chase will get what it wants: No customers can make a dispute with chase in a court of law. They cannot band together for gross abuse. They will have achieved removing courts of law from the equation and replacing them with secret privatized courts that do not have to have any regard for the rule of law.
I just want to point out that, as a user, opting out of this portion of Chase's agreement could result in Chase deciding to close your account. Not advocating what course of action to take, but merely pointing out that there is risk associated with this action.
That being said, I have read through the email from Chase, and there is nothing that explicitly states that they will close it as a result of the user opting out of arbitration.
Does anyone have experience with similar situations with Chase or other banks and agreement opt-outs that they could share?
Yes, just to emphasize this post -- I have read elsewhere that your declining these terms could lead to your account(s) being closed immediately. What makes anyone think they wouldn't do that?
Disagreeing with the terms could close your account, but this section is severable (can be disagreed with separately).
Generally, opt-out is added to reduce the risk that courts will throw out the arbitration clause as unconscionable (unfair). Companies know that most people won't opt out, and any class action brought by somebody who opts out will only apply to other customers who opted out- cutting damages by 99%+.
Thanks, I'd been meaning to do this but couldn't be arsed.
This seems to be, at least in part, advertising for your bank. I clicked on it, but could get no real information about it. Would be curious for more info about it, as I'm generally tired of dealing with bad online presence.
Under the "What is the actual language in the agreement sent by Chase?" FAQ item, it says --
"Can I (the customer) reject this agreement to arbitrate?
Yes. You have the right to reject this agreement to arbitrate if you notify us no later than 8/9/2019. You must do so in writing by stating that you reject this agreement to arbitrate and include your name, account number, address and personal signature. Your notice must be mailed to us at P.O. Box 15298, Wilmington, DE 19850-5298. Rejection notices sent to any other address, or sent by electronic mail or communicated orally, will not be accepted or effective." (emphasis mine)
How does this service handle the "personal signature" requirement?
Edit: dumb question from me. I didn't follow the flow because I don't have a chase account, so I wasn't aware it was a multi-part form.
Original comment below:
---
I'm likewise not an attorney, but how hard would it be to do a simple "Type your name here to represent your signature" type of deal? This is the most common lay practice I've seen, with the more common CYA practice for electronic records being e.g. what Docusign or Adobe offer, or the use of cryptographic signatures.
"By checking this box, I certify that my account information is accurate and I want to e-sign and mail this document to chase to opt out of binding arbitration."
Just a layman here but that seems like a misinterpretation of the statute? The idea of the statute seems to be that the government will not void, nullify, or refuse to enforce the terms of an electronic contract. It does not state that in any given contract, private parties must accept the terms signed in any form whatsoever -- that's still left as something for those people to agree on, and Chase very clearly spelled out that that's not valid for the contract. So the "reason" for the invalidity of a contract wouldn't be that it has an electronic signature, but that one of the parties simply didn't follow the terms it set for validity (whatever they were -- in this case, that they be personally signed, and mailed by the actual account holder). So I'm very curious how legal opinions interpret the statute otherwise, since I don't see any hint that it was intended to be interpreted as allowing one of the parties to change the signing terms to include electronic signatures.
While I disagree on that point, what about the fact that the terms require you to mail it yourself.
Edit: Also, I'm not sure what "wet signature" means. The claim was not quite that the signature has to be in ink. The debate is over whether you (not someone else) are performing the signing, and whether you (not someone else) are mailing (not emailing etc.) it on paper (not e.g. a flash drive) or not. Which, to me, means you could sign on your computer/tablet/etc., then print that as your signature with a printer and then mail the form, with no ink involved anywhere in the process. That seems like a pretty reasonable interpretation of "personally signing" the letter and "mailing" it, so Chase would have a hard time arguing you didn't do that. But to type your name on a random website for someone else to print and mail the contract on your behalf? You neither personally signed that letter (whether on the computer or on the paper) nor did you mail it... all you did was casually tell some random guy on the internet to impersonate you to your financial institution.
I agree with you on the mailing part. Was just pointing out that a personal signature and electronic signature are identical unless specifically stated otherwise due to the E-Sign Act.
Re: that part: but you don't even have any way to sign this electronically to begin with. They did not provide you with an electronic form/page/whatever to sign, nor an electronic address to send your signature to. The contract required you to personally sign and mail a letter into that P.O. Box, and unless you plan on downloading your signature into that P.O. Box, you don't really have any other option besides paper (unless you get clever with papyrus or something I guess). No matter how I slice and dice it I don't see how the E-Sign act has any kind of relevance here... except perhaps for the part that if you keep a scanned copy of your letter for your records, that'd be considered just as valid of a record as a photocopy?
I didn't mean "mail" as in "literally drop off the envelope in the post box", I just meant "mail" as in "write the letter to be mailed". And no, when I say "write" I don't mean it necessarily precludes voice recognition or whatever new counterexample you might be trying to think of now either.
I'm not sure what that means though. If I printed off the form from the website would that count as me writing the letter to be mailed?
In any case, in the stuff quoted up top, I don't read this concept that it must be done personally. For example, it seems like it would be fine for my accountant to do it for me (though they may need me to sign it? maybe they can affix a seal or something)
There must be a way for a business to opt out of this clause, right?
Well I imagine the business case (if they even send the same kind of notification to businesses, which I don't know to be true or false) is easy since presumably the business's name is on the account and said business has someone authorized to take care of such paperwork, and I doubt the letter would (or should, for that matter) be accepted if it comes from someone else in the business. Presumably Chase could call back the business's legal department and ask if they weren't sure if it's valid? Dunno, but I don't see it as a very realistic question.
In terms of you as a consumer using the template they gave you, I mean, in principle I would assume it would count (you put your signature on it and mailed it; it clearly signals your own volition and intent to opt out), but I could see a judge saying no if Chase gave a convincing counterarguments why (e.g. hypothetically if Chase had a habit of getting a lot of legitimately fake opt-outs that they couldn't distinguish from yours, and if it would be obviously bad public policy to accept them, then yours probably shouldn't be valid either). Ultimately I'm not claiming gray areas are nonexistent...
I spent an afternoon looking into this a few weeks ago (I ran a mass opt-out campaign for Equifax a few years ago[1] and wanted to do it again for Chase) and I came to the exact same conclusion you did. I want to appreciate what’s going on here but at the same time it seems irresponsible to give people the impression that they have opted out when they haven’t.
Could I ask which part of this "case law supports in spades"? I imagine you're not claiming they have to accept emails (?) and otherwise I don't even see how you could e-sign this to begin with; you have to write the letter that ends up in their P.O. Box somehow, so you have to make the statement yourself and put your personal signature on paper (via ink or toner or otherwise is not the point) and mail it to them. But here you don't even write the letter or sign the letter yourself in any sense of the word. Like if a judge asked you "you need to have written and personally signed this letter for it to be valid; did you do that?" would you just give a straight unqualified "yes" and believe that would fly?
The answer to your question would be yes. Your electronic signature, printed out and transformed to a different medium, is still a valid signature.
The whole point of the act is to say that clicking a button on a computer to make a signature that is valid. That it later gets transmitted in some other form is irrelevant.
If i create and print out a docusigned document and mail it, it is still a personally written and signed document.
It is no different if I fill out a form that makes a document for me and click a button to sign it.
If this is confusing, answer my reply above and I'll try to start seeing where the confusion is
I'm trying to understand your argument and I guess I don't. So lets start simple so I can understand it better:
Do you think a signature made by a human clicking a button on a computer and then printed out is an electronic signature or a physical non-electronic one?
In this case, "a physical non-electronic signature". I could also see it as "a physical copy of an electronic signature" depending on if it's used in circumstances where you're presenting it as merely a copy of the original (e.g. for documentation/records of your contract with that website), but that's not the case here. Either way I don't see it as "an electronic signature" as far as the agreement goes. If it's on paper it's very clearly not "in electronic form".
Actually it's just like how if you send someone a letter via USPS that you typed and printed from Gmail then you've sent them mail, or perhaps a physical copy of an email, but not "an email".
Okay, so you are confusing concepts like "what is a signature", "what is an original", and "what would a court accept as valid evidence".
We are going to mostly put aside the third for now.
First: A signature does not change form once created. A physically signed document is a physically signed document, regardless of whether i scan it in. An electronically signed document is electronically signed regardless of whether i print it.
Period. The form does not change once created. Only it's originalness and acceptability as evidence.
So then what is electronic.
Second: Your definition of electronic is ... not encompassing enough.
Let's go to the E-SIGN act:
"ELECTRONIC– The term 'electronic' means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities."
That's a lot.
"ELECTRONIC SIGNATURE– The term 'electronic signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."
Note that because of the definition of electronic in the first part, the second is a lot broader than it looks despite it also being fairly expansive.
It only has to be associated with and then executed/adopted by a person with intent to sign a record. Note that it does not say electronic record (which the act defines) or electronic contract. Other parts of the act are restricted to electronic records/contracts, but given the duality, no court i'm aware of has read the limitation into this part of the act (the opposite is in fact true).
So what i gave you what a clear electronic signature. It was electronic process associated with a contract or record, executed by a person with intent to sign it.
It doesn't matter if it was later printed. The act itself will even support this.
Now we move on to what does the act say about such signatures or contract or ... ;
"
(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form;
(2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.
...
(g) Notarization and Acknowledgment.--If a statute, regulation, or
other rule of law requires a signature or record relating to a
transaction in or affecting interstate or foreign commerce to be
notarized, acknowledged, verified, or made under oath, that requirement
is satisfied if the electronic signature of the person authorized to
perform those acts, together with all other information required to be
included by other applicable statute, regulation, or rule of law, is
attached to or logically associated with the signature or record.
...
(h) Electronic Agents.--A contract or other record relating to a
transaction in or affecting interstate or foreign commerce may not be
denied legal effect, validity, or enforceability solely because its
formation, creation, or delivery involved the action of one or more
electronic agents so long as the action of any such electronic agent is
legally attributable to the person to be bound.
"
Remember again our definition of electronic is very broad here.
The first says the signatures and contracts are valid even when they were in electronic form. That is again true even if i print it out and later mail it.
You may run into the issue about what is acceptable evidence to a court for the document itself, but you will not run into the issue of "is the signature on this document, which was originally electronic, valid as a signature".
The second says that a contract (again, very broad definition, definitely includes letter like this one!) can't be denied validity just because you used an electronic recor...
Thank you a ton for taking the time to patiently explain all this. So here's where I'm currently stuck. Or actually, I'm stuck in a few places right now:
(1) This is less relevant to this particular debate, but it's highly relevant to the actual opt-out page. On the webpage, I don't see the word "sign" at all. I imagine merely filling in your name into that box and clicking "Submit" doesn't turn your name into your signature. In fact the page explicitly says "the information for the Chase account holder"... which need not be you, so it definitely can't account as the account holder's signature... right? So regardless of the electronic vs. paper issue we still seem to have a pretty fundamental problem that even this page hasn't been signed by the account owner in any shape or form.
(2) This is more specific to our discussion. So if there were a signature box on that form and you put your name in as your electronic signature, what exactly would you have electronically signed? I never (I think) said that you wouldn't have electronically signed anything at all, but rather, that what you signed electronically would not have been the agreement of interest, i.e. the one to be sent to Chase. Rather, as I see it, you would have signed something separate from that -- more like a contract (if it even counts as a contract... not sure how considerations play into this, given it's free) with whoever's running that website, to write your intended letter, put a copy of your signature on it, and basically impersonate you in sending this to Chase. Leaving aside the question of whether this is fraud (which is also something I've been pondering, since Chase would seem to think it came from you), that would mean you never signed that agreement at all. At best, I feel you could only try to argue you gave this site a power of attorney to represent you... not sure how valid a court would find that with the form currently as-is. So I'm still struggling to see how you could claim to have signed the agreement sent to Chase.
(3) The "electronic agent" thing seems like a red herring (I'm not sure why you brought it up) since it seems to refer the software, not the human on the other side.
(4) Is this really a question of whether the agreement is valid "solely because it is in electronic form"? In my view it's a question of whether it's valid "because its terms for it taking effect are followed". One of the terms was signing it in electronic form, but that's just (if you will) an implementation detail the way I see it. This may be my CS-y brain but the law sounds like it's intended to address governmental "discrimination" against electronic signatures (if you will), not private decisions on how to form valid agreements. It seems kind of like how, even though the law requires that a $100 bill be valid as legal tender for all private debts, no store owner is obligated to accept a $100 bill as a payment of $100 for goods you haven't officially bought yet.
You assumed that the process is done when you click that first Submit button, but it is not. There is an e-signing step that makes it clear what you are doing and what you are signing. [0]
I also did not realize this and it probably would have prevented me from posing the question in the first place. Seems like it would be clearer for the first button say "Click to sign" or something (other than "Submit").
I have some questions about this model. Big ask I know but I am wondering if you'd reach out to me to discuss your interpretation of it (contact info in profile). I think there are some missing pieces here, and I'd really like to discuss this issue in depth with someone who understands the tech and the law as I think there may be a startup in some other places this law is applicable.
I'm a US attorney but not in contracts. Contracts is a fairly complicated area of law, and the fundamental common law of Ks that you study in law school tends to be very different from how Ks work "on the ground." Most notably, statutes currently exist that change the way this common law operates in sometimes non-obvious ways. Standard disclaimer here that this is in no way to be construed as legal advice, this is not my area of expertise; take this as high-level background.
Essentially, under the common law here, all that a contract needs in order to be valid is three things: a valid offer, a valid acceptance, and valid "consideration," where consideration is a legal term of art referring to 'something of value' gained through the agreement.
The idea is that, there is no servitude. Companies can offer whatever terms they want (subject to a very few number of restrictions, dependent on the industry/regulatory domain). You are under no pressure to accept. You can easily reject the terms by simply not using the product. Courts have generally been reluctant to prevent parties from agreeing to whatever lawful thing they want to agree to. The main exception is that you cannot have contracts which serve 'an illegal end.'
In the US, there's no need for a contract to be written or overheard at all. There need be no written document, no witnesses, no record whatsoever. So long as there is a valid offer (obvious jokes are not held to be valid offers, for instance), valid acceptance (you generally need to affirmatively signal acceptance, but this need not be oral or even explicit), and valid consideration (really nothing more than a formality nowadays, this is why many deeds say "exchanged for consideration of $1"), the contract is valid, even if it only exists in the minds of the two parties.
Obviously, proving such a contract can be difficult, but it can be done, particularly if the parties were acting in accordance with the terms of the claimed contract. If we orally agree that you will start working on building a shed for me, you buy supplies and deliver them to the site, but then stop work, you can't claim the contract never existed, because you've acted in accordance with that oral contract.
In this area specifically, there's been some progress made in getting the courts to understand the enormous power differential at play here. You nearly can't survive in this country without at least one credit card, and if all the major companies' cards have terms like this, then you don't really actually have a choice in the matter. It's been a slow process however.
It's called the "golden rule", they who have the gold make the rules.
OK, seriously, they don't technically get to decide what makes a binding agreement, a judge does that. But US law and US judges are very business-friendly. I mean there's the whole invented crime of "identity theft", whereby a bank who is defrauded by an individual gets to pass off their victimhood to a completely uninvolved third party.
I wrote to Chase on their 'secure message portal', which feels like it is straight out of 1995. I told them I'm out of the country and cannot send mail.
I told them that I am rejecting the agreement to arbitrate. I also said that since their message portal feels official, this would be what I would use as proof of my opt out in court, if the need arises. I saved some screenshots as well.
They have updated me once already to say that they are still working on a response.
Assuming that you're completely legit and utterly competent, there's still a big security problem here: it's encouraging people to put their PII and CC info into arbitrary Web sites.
On top of that, it's further identifying them as both Chase CC holders and receptive to scams, qualifying them as leads for further phishing/scamming.
Unfortunately this is the problem that Chase created ... we give users a way to download a form letter instead, but were just trying to make it as easy as possible for customers to opt out if they would like to do so
Sort of humorous comment, as PCI DSS is self assessment and attestation of compliance. If OP states they’ve met their burden, that’s all that’s required at their scale.
I give out my credit card number hundreds of times per year to websites that I have not verified have a merchant agreement with a payment processor to comply with PCI DSS.
In terms of what users are taught (which is plainly the context of the comment you are replying to), this website is identical to ecommerce sites.
>we give users a way to download a form letter instead
But you don't just let them download it. You make them give you their email address first.
Edit: Haha! No wait, you have to click through two levels of "Don't want to give us your info? Click here to get the letter". The first one asks for you email, only after the second do you actually get the letter. Why? They already said "dont want to...". Just give it to them!
Edit2: Also the form letter, prepopulated with the Chase customer service P.O. box address, is another scam pitfall. Anyone using this kind of form letter should always check the address with the financial institution before sending any forms, especially that include PII/financial information.
> The first one asks for you email, only after the second do you actually get the letter.
They're pretty clearly trying to collect email addresses through this campaign. I'm okay with that. My email address isn't exactly private, and this site is going to pay to mail physical letters for me.
> Also the form letter, prepopulated with the Chase customer service P.O. box address, is another scam pitfall. Anyone using this kind of form letter should always check the address with the financial institution before sending any forms, especially that include PII/financial information.
Is the address fradulent? If so, please tell us. If not, I don’t see the concern.
really? No concern downloading a form letter from some web site and mailing PII/account information to the address they provided?
Call me paranoid, but that kind of behavior is just waiting to run into a scam.
My point was not about the address, it was about general wariness of scams. No different than always calling your financial institution using a valid/known number, rather than a number provided to you by a voicemail/email/letter.
If I don't use this website, there is a 100% chance I will "agree" to binding arbitration. I know myself. There is absolutely no way I am going to print, fill out, and mail in a paper form.
Is this website a perfect solution? No, but I don't see a better option under the circumstances, and from what I can tell, the people running it are doing the right things within the confines of what is necessary for their solution to work.
If that's not the case, criticize away, and certainly let us know if you have a clear reason to believe this specific project is a scam. But keep the goal in mind. It certainly set off some alarm bells for me, but when I read through the site it all made sense.
Tomorrow, an enterprising scammer might clone the site to chaseoptoutservice.com, and do all the nefarious things mentioned above, and they'll be neck-and-neck in SEO.
They could have raised awareness to the problem and provided detailed instructions on how anyone can go about resolving it, in a manner that's consistent with best practices of protecting yourself.
It's a false dichotomy to say its either this web site or Chase wins.
Promoting risky and insecure behavior is just wrong. period. That's independent of whatever Chase or any other company is putting in their agreements.
I think you'd be helping people far more by pointing out all the problems with this kind of website, so they can be aware of the risks and hopefully avoid scams, rather than getting them out of binding arbitration clauses.
> It's a false dichotomy to say its either this web site or Chase wins.
But it's not! No one is going to mail in a form. Chase specifically chose that go that route because they know nobody nobody is going to mail in a form. The only way to get around this is to make the process easier. How else do you do that?
It strikes me as a very shortsighted to say "this behavior is wrong in all circumstances, period," while ignoring the benefits. Everything in life is some kind of risk trade-off.
Edit: I suppose your larger point is, the potential harm of this project greatly outweighs any potential good. I can respect that, but I'd really encourage you to research how messed up binding arbitration agreements are, particularly with regards to institutions like a bank.
fair enough. You're putting more weight on the harm of arbitration agreements, whereas I'm putting more weight on the harm of identity theft and phishing/online scams.
I would say that more broadly speaking the harm of arbitration agreements is solvable in other ways, such as government or advocacy actions. I'm guessing that's what led to this letter/form in the first place: some regulator, or litigation resulted in Chase having to provide an "opt out", and they fulfilled their requirement by making it a mail-in form to discourage opt-out.
If the harm persists then consumer advocates, elected representatives, and regulators can take another crack at it.
Educating people to be wary and careful with personal information is trickier. It's hard enough to spot a very well crafted spear-phishing attack, even when you know better and are generally vigilante. I don't know how else to deal with that except hyper-vigilance, and yes "this behavior is wrong in all circumstances, period,"
But again, I guess I'm weighing that risk higher than you are.
Perhaps a good way to deal with this would be to provide the address for convenience, but also include instructions for how someone could verify it for themselves. IE describe how to go to chase.com and look up the address. (Don't just provide a link to the address at chase.com, as that has the same problem as just providing the address.)
> Haha! No wait, you have to click through two levels of "Don't want to give us your info? Click here to get the letter". The first one asks for you email, only after the second do you actually get the letter. Why? They already said "dont want to...". Just give it to them!
Chase didn’t set up a website asking for account numbers. So how did Chase create this problem? What exactly have they done wrong? If someone disagrees with the policy, they can opt-out, so what’s the problem that causes someone to need to give a bank account number to a random website? Why not just disclose in big letters what the site is all about: lead generation for a law firm? This isn’t some kind of “we like to help people,” project any more than ambulance chasers seek “justice.” There is a place for lawsuits certainly, but let’s not pretend this is about “helping,” it’s about lead generation.
I don't see how that's relevant to what I said. The problem I was citing was the encouragement to put this info into a Web form on an arbitrary site. You should always be discouraging that.
It's even worse than that. If they try to authenticate you on the phone. They'll suggest calling you back, and they don't know what phone number they'll be calling you from.
They literally ask for their customers to pick up the phone from unknown numbers and give your bank details.
It seems to me that it's pretty flimsy? In particular:
> To conduct research and to improve and promote our services . We use the information wecollect to conduct research and to improve or enhance and promote our Services.
Both promotion and research are pretty damn broad terms, right?
not at all! We explicity ask if you want to opt in to future communications on our form - we are NOT using them to communicate with users if they do not opt in.
sorry you feel that way? We did put a fair amount of effort (and are spending our own dollars to mail the letters) so I don't think we are doing anything too unreasonable
It's entirely possible you have pure intentions, but I know nothing about (and therefore have no implicit trust in) your organization, so it would be a huge leap of faith for me to even consider putting this amount and degree of personal information into a random website.
The fact that your privacy policy's fine print allows you to use the information for something other than the express purpose at hand seriously undermines that, even if you have no actual intentions of doing anything shady.
Yes but it’s your Chase account number. If it gets leaked through this service, Chase precipitated that leak through their unethical use of arbitration.
Idk but I only have Chase through Amazon. Chase might get effed, but my Amazon account will probably always be fine.
If the problem is writing the letter or stamps, then why not just send the user a postage-paid envelope, pre-addressed to Chase, with a generic letter that she can fill in with her personal information and deposit into the mail?
You should now be wondering how this "service" can be "free". As someone else has figured out, this is a company that wants lists of Chase customers to which they can market their consumer arbitration-related services.
This is interesting since the whole point of opting out here is that consumers want to avoid arbitration and reserve their rights to sue.
Other websites are offering a more sensible solution for those who cannot be bothered to write a letter: templates for a simple letter a customer can just print out, fill in her information, sign and mail.
For sure. If you don’t care, you don’t care. If you do care, you might use an online form but not print it out and mail it.
Everyone here fearmongering this site is the enemy of good enough. Your credit card information is no more at risk than at a gas pump that possibly has a skimmer (and you’re not liable). Your PII has already been leaked by Equifax. Why give up even more rights by not opting out through a service that has taken reasonable precautionary measures for data protection?
What would be really cool is to see this extended to many types of opt-out-by-email things — I know it's a pretty widely-used dark pattern by e.g. newspapers and spam mail companies.
Very suspicious. Why should I opt out? Why did some companies/individuals think this was worth spending time building and promoting this service and spending potentially millions of dollars in print & postage to mail letters?
Fact: If millions of people were to take us up on this, we (Radvocate and our friends at HM Bradley) would get tangible value from the publicity around it.
Are you collecting email addresses of your future customers for marketing purposes ? Whats the guarantee that you don't mine the customer address information you collect for your new bank venture http://pdf.secdatabase.com/92/0001772417-19-000001.pdf
What did your legal counsel say about liability here? For example, what happens if a cardholder who used your opt-out service has a dispute with Chase, and Chase claims they did not receive the opt-out?
What has counsel advised about any risk of federal authorities investigating you as possible CC phishing operation (perhaps initiated by monitoring for bank-phishing-like domain name)? (Obviously you have some defense, but the best case might cost you money and misery.)
Also, do you expect to keep the domain name past an ICANN dispute?
It mentioned that the opt-out requires a specimen signature (from the FAQ as well What do I need to do to opt-out?). How would you be able to ensure that the opt-out process for the customer will be valid / accepted by Chase if there's no actual human signature?
From Chase's perspective, wouldn't they be asking for more details especially if their business hinges on retaining people into their business as much as they can?
I'm betting the latter. If you click on the HM Bradley logo it takes you to their homepage where it says that they're building a bank for the "next hundred years". I'll hand it to them, this is a pretty good way of collecting lots of email addresses.
Yup, I just happened to notice this by chance when the email came. I was really surprised to see this. Fortunately, I do have stamps lying around, so I've already mailed out a letter rejecting the agreement to arbitrate.
Perhaps they should discuss that in an FAQ, but let's face it, they are literally saying "We know you're out of the loop probably, and we know you are too lazy to write the letter yourself, so we'll do it for you".
Other than "user training", if it's legitimate, it is not unethical.
245 comments
[ 3.5 ms ] story [ 272 ms ] threadMaker of the site here! Our servers don't touch any of this data, it goes straight to Very Good Security and lives in a PCI compliant vault ... We ourselves are building a new kind of bank so we take security very seriously and are not phishing.
Happy to talk through in more details but the FAQs do a pretty good job of that too!
Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI?
Does Lob provide any interface that shows sent mail and the content (it appears they do)? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token?
What stops you from scraping this data from Lob's API?
---
Original comment below.
I'm confused on how this data lands at Lob with an account number if you never get it.
Correct me if I'm wrong but the letter you send includes the account number and not the VGS token?
All of my following questions assumes an affirmative answer.
How is the account number landed in Lob? It appears something must be calling the Lob API with an unencrypted account number? What is making that call?
Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI?
Does Lob provide any interface that shows sent mail and the content? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token?
Unfortunately Chase forces customers to mail a letter with this information on it so there's not much we can do
In another comment you talked about starting another kind of bank? details?
tbh I'm not trying to use this as a platform for advertising but I'm happy to chat if you want to email me. zach [at] hmbradley.com
Open-source a script I can run locally to generate PDFs with the information your form uses.
I told them that I am rejecting the agreement to arbitrate. I also said that since their message portal feels official, this would be what I would use as proof of my opt out in court, if the need arises. I saved some screenshots as well.
They have updated me once already to say that they are still working on a response.
Might as well leave a box for the SSN while you're at it
We also give customers a way to just download the form without giving us the info but then of course we can't mail it for them ... we were just trying to make this easier for customers to opt out with the shitty options we were given
Good on you guys for making the thing and showing some effort, wasn't aware of their opt-out policy.
If you actually care about privacy and claim to not be using or selling our information for anything, why don't you make it easier to avoid giving information entirely?
Having said that, thank you for creating this. I had left Chase's email about the terms change in my inbox, starred, so I'd remember to take care of this, but not having to formulate my own letter makes things so much easier.
Hmm, I don't see it that way. It seems like people are learning about the chase issue for the first time through this website. Ideally you'd have another website/article informing you about the issue, and then a link to this website for sending the letter. And so it would be weird to go to a website designed to send a letter, and be told that you can also not send the letter through the website...
We track news about arbitration pretty closely, and I've been surprised and impressed by how much this Chase issue has "broken through." I no joke overheard a random convo about it on BART on Sunday.
I've been party to some interesting convos about whether it would be legal for them to do so.
That being said, I have read through the email from Chase, and there is nothing that explicitly states that they will close it as a result of the user opting out of arbitration.
Does anyone have experience with similar situations with Chase or other banks and agreement opt-outs that they could share?
Generally, opt-out is added to reduce the risk that courts will throw out the arbitration clause as unconscionable (unfair). Companies know that most people won't opt out, and any class action brought by somebody who opts out will only apply to other customers who opted out- cutting damages by 99%+.
https://en.wikipedia.org/wiki/Consumer_arbitration#Unconscio...
I would actually like to see that service. A website that closes your bank account for you. They can be very tricky when you try to do that.
This is disgraceful behavior from a bank and they also made clear that they tend to close accounts for arbitrary reasons.
This seems to be, at least in part, advertising for your bank. I clicked on it, but could get no real information about it. Would be curious for more info about it, as I'm generally tired of dealing with bad online presence.
https://www.chaseoptout.com/PrivacyPolicy.pdf - let me know if you mean something else?
"Can I (the customer) reject this agreement to arbitrate?
Yes. You have the right to reject this agreement to arbitrate if you notify us no later than 8/9/2019. You must do so in writing by stating that you reject this agreement to arbitrate and include your name, account number, address and personal signature. Your notice must be mailed to us at P.O. Box 15298, Wilmington, DE 19850-5298. Rejection notices sent to any other address, or sent by electronic mail or communicated orally, will not be accepted or effective." (emphasis mine)
How does this service handle the "personal signature" requirement?
Original comment below:
---
I'm likewise not an attorney, but how hard would it be to do a simple "Type your name here to represent your signature" type of deal? This is the most common lay practice I've seen, with the more common CYA practice for electronic records being e.g. what Docusign or Adobe offer, or the use of cryptographic signatures.
The document is not actually present.
Unless Chase explicitly said wet signature, then a government court would find the electronic signature valid.
Edit: Also, I'm not sure what "wet signature" means. The claim was not quite that the signature has to be in ink. The debate is over whether you (not someone else) are performing the signing, and whether you (not someone else) are mailing (not emailing etc.) it on paper (not e.g. a flash drive) or not. Which, to me, means you could sign on your computer/tablet/etc., then print that as your signature with a printer and then mail the form, with no ink involved anywhere in the process. That seems like a pretty reasonable interpretation of "personally signing" the letter and "mailing" it, so Chase would have a hard time arguing you didn't do that. But to type your name on a random website for someone else to print and mail the contract on your behalf? You neither personally signed that letter (whether on the computer or on the paper) nor did you mail it... all you did was casually tell some random guy on the internet to impersonate you to your financial institution.
> Your notice must be mailed to us at P.O. Box 15298, Wilmington, DE 19850-5298.
That sounds like it has to be mailed, but who does the mailing doesn't matter. Similarly, wouldn't matter if you used the post or a courier.
I'm not sure what that means though. If I printed off the form from the website would that count as me writing the letter to be mailed?
In any case, in the stuff quoted up top, I don't read this concept that it must be done personally. For example, it seems like it would be fine for my accountant to do it for me (though they may need me to sign it? maybe they can affix a seal or something)
There must be a way for a business to opt out of this clause, right?
In terms of you as a consumer using the template they gave you, I mean, in principle I would assume it would count (you put your signature on it and mailed it; it clearly signals your own volition and intent to opt out), but I could see a judge saying no if Chase gave a convincing counterarguments why (e.g. hypothetically if Chase had a habit of getting a lot of legitimately fake opt-outs that they couldn't distinguish from yours, and if it would be obviously bad public policy to accept them, then yours probably shouldn't be valid either). Ultimately I'm not claiming gray areas are nonexistent...
[1] https://news.ycombinator.com/item?id=15207151
It makes electronic signatures as good as regular ones in interstate commerce. Period. Full stop. Caselaw supports this in spades.
The only meaningful case otherwise is where statutes explicitly require in-writing signatures (a good example is copyright transfers).
There is an intra-state version of this is UETA.
The whole point of the act is to say that clicking a button on a computer to make a signature that is valid. That it later gets transmitted in some other form is irrelevant.
If i create and print out a docusigned document and mail it, it is still a personally written and signed document.
It is no different if I fill out a form that makes a document for me and click a button to sign it.
If this is confusing, answer my reply above and I'll try to start seeing where the confusion is
Actually it's just like how if you send someone a letter via USPS that you typed and printed from Gmail then you've sent them mail, or perhaps a physical copy of an email, but not "an email".
We are going to mostly put aside the third for now.
First: A signature does not change form once created. A physically signed document is a physically signed document, regardless of whether i scan it in. An electronically signed document is electronically signed regardless of whether i print it. Period. The form does not change once created. Only it's originalness and acceptability as evidence.
So then what is electronic.
Second: Your definition of electronic is ... not encompassing enough. Let's go to the E-SIGN act:
"ELECTRONIC– The term 'electronic' means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities."
That's a lot.
"ELECTRONIC SIGNATURE– The term 'electronic signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."
Note that because of the definition of electronic in the first part, the second is a lot broader than it looks despite it also being fairly expansive.
It only has to be associated with and then executed/adopted by a person with intent to sign a record. Note that it does not say electronic record (which the act defines) or electronic contract. Other parts of the act are restricted to electronic records/contracts, but given the duality, no court i'm aware of has read the limitation into this part of the act (the opposite is in fact true).
So what i gave you what a clear electronic signature. It was electronic process associated with a contract or record, executed by a person with intent to sign it.
It doesn't matter if it was later printed. The act itself will even support this.
Now we move on to what does the act say about such signatures or contract or ... ;
"
(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form;
(2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.
...
(g) Notarization and Acknowledgment.--If a statute, regulation, or other rule of law requires a signature or record relating to a transaction in or affecting interstate or foreign commerce to be notarized, acknowledged, verified, or made under oath, that requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable statute, regulation, or rule of law, is attached to or logically associated with the signature or record.
...
(h) Electronic Agents.--A contract or other record relating to a transaction in or affecting interstate or foreign commerce may not be denied legal effect, validity, or enforceability solely because its formation, creation, or delivery involved the action of one or more electronic agents so long as the action of any such electronic agent is legally attributable to the person to be bound. "
Remember again our definition of electronic is very broad here.
The first says the signatures and contracts are valid even when they were in electronic form. That is again true even if i print it out and later mail it. You may run into the issue about what is acceptable evidence to a court for the document itself, but you will not run into the issue of "is the signature on this document, which was originally electronic, valid as a signature".
The second says that a contract (again, very broad definition, definitely includes letter like this one!) can't be denied validity just because you used an electronic recor...
(1) This is less relevant to this particular debate, but it's highly relevant to the actual opt-out page. On the webpage, I don't see the word "sign" at all. I imagine merely filling in your name into that box and clicking "Submit" doesn't turn your name into your signature. In fact the page explicitly says "the information for the Chase account holder"... which need not be you, so it definitely can't account as the account holder's signature... right? So regardless of the electronic vs. paper issue we still seem to have a pretty fundamental problem that even this page hasn't been signed by the account owner in any shape or form.
(2) This is more specific to our discussion. So if there were a signature box on that form and you put your name in as your electronic signature, what exactly would you have electronically signed? I never (I think) said that you wouldn't have electronically signed anything at all, but rather, that what you signed electronically would not have been the agreement of interest, i.e. the one to be sent to Chase. Rather, as I see it, you would have signed something separate from that -- more like a contract (if it even counts as a contract... not sure how considerations play into this, given it's free) with whoever's running that website, to write your intended letter, put a copy of your signature on it, and basically impersonate you in sending this to Chase. Leaving aside the question of whether this is fraud (which is also something I've been pondering, since Chase would seem to think it came from you), that would mean you never signed that agreement at all. At best, I feel you could only try to argue you gave this site a power of attorney to represent you... not sure how valid a court would find that with the form currently as-is. So I'm still struggling to see how you could claim to have signed the agreement sent to Chase.
(3) The "electronic agent" thing seems like a red herring (I'm not sure why you brought it up) since it seems to refer the software, not the human on the other side.
(4) Is this really a question of whether the agreement is valid "solely because it is in electronic form"? In my view it's a question of whether it's valid "because its terms for it taking effect are followed". One of the terms was signing it in electronic form, but that's just (if you will) an implementation detail the way I see it. This may be my CS-y brain but the law sounds like it's intended to address governmental "discrimination" against electronic signatures (if you will), not private decisions on how to form valid agreements. It seems kind of like how, even though the law requires that a $100 bill be valid as legal tender for all private debts, no store owner is obligated to accept a $100 bill as a payment of $100 for goods you haven't officially bought yet.
https://i.snag.gy/tSf20W.jpg
AFAIK in the Netherlands oral statements, when overheard by a witness, have the same legal standing as a signed contract.
Essentially, under the common law here, all that a contract needs in order to be valid is three things: a valid offer, a valid acceptance, and valid "consideration," where consideration is a legal term of art referring to 'something of value' gained through the agreement.
The idea is that, there is no servitude. Companies can offer whatever terms they want (subject to a very few number of restrictions, dependent on the industry/regulatory domain). You are under no pressure to accept. You can easily reject the terms by simply not using the product. Courts have generally been reluctant to prevent parties from agreeing to whatever lawful thing they want to agree to. The main exception is that you cannot have contracts which serve 'an illegal end.'
In the US, there's no need for a contract to be written or overheard at all. There need be no written document, no witnesses, no record whatsoever. So long as there is a valid offer (obvious jokes are not held to be valid offers, for instance), valid acceptance (you generally need to affirmatively signal acceptance, but this need not be oral or even explicit), and valid consideration (really nothing more than a formality nowadays, this is why many deeds say "exchanged for consideration of $1"), the contract is valid, even if it only exists in the minds of the two parties.
Obviously, proving such a contract can be difficult, but it can be done, particularly if the parties were acting in accordance with the terms of the claimed contract. If we orally agree that you will start working on building a shed for me, you buy supplies and deliver them to the site, but then stop work, you can't claim the contract never existed, because you've acted in accordance with that oral contract.
In this area specifically, there's been some progress made in getting the courts to understand the enormous power differential at play here. You nearly can't survive in this country without at least one credit card, and if all the major companies' cards have terms like this, then you don't really actually have a choice in the matter. It's been a slow process however.
OK, seriously, they don't technically get to decide what makes a binding agreement, a judge does that. But US law and US judges are very business-friendly. I mean there's the whole invented crime of "identity theft", whereby a bank who is defrauded by an individual gets to pass off their victimhood to a completely uninvolved third party.
I told them that I am rejecting the agreement to arbitrate. I also said that since their message portal feels official, this would be what I would use as proof of my opt out in court, if the need arises. I saved some screenshots as well.
They have updated me once already to say that they are still working on a response.
On top of that, it's further identifying them as both Chase CC holders and receptive to scams, qualifying them as leads for further phishing/scamming.
https://www.pcicomplianceguide.org/faq/#4
Disclaimer: I work in governance/risk/compliance, but have not performed PCI compliance work in the last several years.
In terms of what users are taught (which is plainly the context of the comment you are replying to), this website is identical to ecommerce sites.
But you don't just let them download it. You make them give you their email address first.
Edit: Haha! No wait, you have to click through two levels of "Don't want to give us your info? Click here to get the letter". The first one asks for you email, only after the second do you actually get the letter. Why? They already said "dont want to...". Just give it to them!
Edit2: Also the form letter, prepopulated with the Chase customer service P.O. box address, is another scam pitfall. Anyone using this kind of form letter should always check the address with the financial institution before sending any forms, especially that include PII/financial information.
They're pretty clearly trying to collect email addresses through this campaign. I'm okay with that. My email address isn't exactly private, and this site is going to pay to mail physical letters for me.
> Also the form letter, prepopulated with the Chase customer service P.O. box address, is another scam pitfall. Anyone using this kind of form letter should always check the address with the financial institution before sending any forms, especially that include PII/financial information.
Is the address fradulent? If so, please tell us. If not, I don’t see the concern.
really? No concern downloading a form letter from some web site and mailing PII/account information to the address they provided? Call me paranoid, but that kind of behavior is just waiting to run into a scam.
My point was not about the address, it was about general wariness of scams. No different than always calling your financial institution using a valid/known number, rather than a number provided to you by a voicemail/email/letter.
If I don't use this website, there is a 100% chance I will "agree" to binding arbitration. I know myself. There is absolutely no way I am going to print, fill out, and mail in a paper form.
Is this website a perfect solution? No, but I don't see a better option under the circumstances, and from what I can tell, the people running it are doing the right things within the confines of what is necessary for their solution to work.
If that's not the case, criticize away, and certainly let us know if you have a clear reason to believe this specific project is a scam. But keep the goal in mind. It certainly set off some alarm bells for me, but when I read through the site it all made sense.
Tomorrow, an enterprising scammer might clone the site to chaseoptoutservice.com, and do all the nefarious things mentioned above, and they'll be neck-and-neck in SEO.
If the response is to attack the legit version, then Chase wins! That's not an acceptable outcome either.
It's a false dichotomy to say its either this web site or Chase wins.
Promoting risky and insecure behavior is just wrong. period. That's independent of whatever Chase or any other company is putting in their agreements.
I think you'd be helping people far more by pointing out all the problems with this kind of website, so they can be aware of the risks and hopefully avoid scams, rather than getting them out of binding arbitration clauses.
But it's not! No one is going to mail in a form. Chase specifically chose that go that route because they know nobody nobody is going to mail in a form. The only way to get around this is to make the process easier. How else do you do that?
It strikes me as a very shortsighted to say "this behavior is wrong in all circumstances, period," while ignoring the benefits. Everything in life is some kind of risk trade-off.
Edit: I suppose your larger point is, the potential harm of this project greatly outweighs any potential good. I can respect that, but I'd really encourage you to research how messed up binding arbitration agreements are, particularly with regards to institutions like a bank.
I would say that more broadly speaking the harm of arbitration agreements is solvable in other ways, such as government or advocacy actions. I'm guessing that's what led to this letter/form in the first place: some regulator, or litigation resulted in Chase having to provide an "opt out", and they fulfilled their requirement by making it a mail-in form to discourage opt-out. If the harm persists then consumer advocates, elected representatives, and regulators can take another crack at it.
Educating people to be wary and careful with personal information is trickier. It's hard enough to spot a very well crafted spear-phishing attack, even when you know better and are generally vigilante. I don't know how else to deal with that except hyper-vigilance, and yes "this behavior is wrong in all circumstances, period," But again, I guess I'm weighing that risk higher than you are.
Yeah. That got me a bit irritated. Here's the form without having to give any info : https://www.chaseoptout.com/ChaseOptOut.pdf
But they also do B!
Doesn’t matter. A is bad.
They literally ask for their customers to pick up the phone from unknown numbers and give your bank details.
It seems to me that it's pretty flimsy? In particular:
> To conduct research and to improve and promote our services . We use the information wecollect to conduct research and to improve or enhance and promote our Services.
Both promotion and research are pretty damn broad terms, right?
The fact that your privacy policy's fine print allows you to use the information for something other than the express purpose at hand seriously undermines that, even if you have no actual intentions of doing anything shady.
Personally, I'm very much okay with the exchange in this case, particularly given the cost of mailing physical letters.
Idk but I only have Chase through Amazon. Chase might get effed, but my Amazon account will probably always be fine.
People who order stamps online?
If the problem is writing the letter or stamps, then why not just send the user a postage-paid envelope, pre-addressed to Chase, with a generic letter that she can fill in with her personal information and deposit into the mail?
You should now be wondering how this "service" can be "free". As someone else has figured out, this is a company that wants lists of Chase customers to which they can market their consumer arbitration-related services.
This is interesting since the whole point of opting out here is that consumers want to avoid arbitration and reserve their rights to sue.
Other websites are offering a more sensible solution for those who cannot be bothered to write a letter: templates for a simple letter a customer can just print out, fill in her information, sign and mail.
Everyone here fearmongering this site is the enemy of good enough. Your credit card information is no more at risk than at a gas pump that possibly has a skimmer (and you’re not liable). Your PII has already been leaked by Equifax. Why give up even more rights by not opting out through a service that has taken reasonable precautionary measures for data protection?
What would be really cool is to see this extended to many types of opt-out-by-email things — I know it's a pretty widely-used dark pattern by e.g. newspapers and spam mail companies.
I'd love for us to have that problem.
What has counsel advised about any risk of federal authorities investigating you as possible CC phishing operation (perhaps initiated by monitoring for bank-phishing-like domain name)? (Obviously you have some defense, but the best case might cost you money and misery.)
Also, do you expect to keep the domain name past an ICANN dispute?
From Chase's perspective, wouldn't they be asking for more details especially if their business hinges on retaining people into their business as much as they can?
Update: Additional wording
Are you just going to discard all the data afterwards or is it just a ploy to build a mailing list for your bank?
Other than "user training", if it's legitimate, it is not unethical.