cross-posted from: https://sopuli.xyz/post/12558862

So here’s a disturbing development. Suppose you pay cash to settle a debt or to pay for something in advance, where you are not walking out of the store with a product. You obviously want a receipt on the spot proving that you handed cash over. This option is ending.

It’s fair enough that France wants to put a stop to people receiving paper receipts they don’t want, which then litter the street. But it’s not just an environmental move; there is a #forcedDigitalTransformation / #warOnCash element to this. From the article:

In Belgium: since 2014, merchants can choose to provide a paper or digital receipt to their customers, if they¹ request it.

What if I don’t agree to share an email address with a creditor? What if the creditor uses Google or Microsoft for email service, and I boycott those companies? Boycotting means not sharing any data with them (because the data is profitable). IIUC, the Belgian creditor can say “accept our Microsoft-emailed receipt or fuck off.” If you don’t carry a smartphone that is subscribed to a data plan, and trust a smartphone with email transactions, then you cannot see that you’ve received the email before you leave after paying cash. Even if you do have a data plan and are trusting enough to use a smartphone for email, and you trust all parties handling the email, there is always a chance the sender’s mail server is graylisted, which means the email could take a day to reach you. Not to mention countless opportunities for the email to fail or get lost.

It’s such a fucked up idea to let merchants choose. If it’s a point of sale, then no problem… I can simply walk if they refuse a paper receipt (though even that’s dicey because I’ve seen merchants refuse instant returns after they’ve put your money in the cash register).

But what about creditors? If you owe a debt and the transaction fails because they won’t give you a paper receipt and you won’t agree to info sharing with a surveillance advertiser, then you can be treated as a delinquent debtor.

Google, Facebook, Amazon, and Microsoft must be celebrating these e-receipts because they have been working quite hard to track people’s offline commerce.

It’s obviously an encroachment of the data minimisation principle under the #GDPR. More data is being collected than necessary.

¹ This is really shitty wording. Who is /they/? If it’s the customer, that’s fine. But in that case, why did the sentence start with “merchants can choose…”? Surely it can only mean merchants have the choice if they make a request to regulators.

  • viking@infosec.pub
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    7 months ago

    There’s privacy, and there’s paranoia.

    If you don’t want to receive emails from servers belonging to Microsoft, Google, or Amazon, you better delete your mail account and ask them to mail you the receipt.

    • CameronDev@programming.dev
      link
      fedilink
      arrow-up
      2
      arrow-down
      2
      ·
      7 months ago

      If you take paranoia out of these privacy communities there would be nothing left.

      There is an easy solution for those that are paranoid, use a throwaway email for receipts.

    • freedomPusher@sopuli.xyzOP
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      7 months ago

      Privacy is about control.

      You don’t understand privacy given your conflation with paranoia and oversight of my mention of a boycott. Privacy is not just about non-disclosure of sensitive information. It’s much more than infosec.

      When you mislabel privacy as “paranoia”, you become part of the problem of advocating disempowerment of people in favor of control misappropriation.

      If you don’t want to receive emails from servers belonging to Microsoft, Google, or Amazon, you better delete your mail account and ask them to mail you the receipt.

      This absurd attempt at a false dichotomy showcases contempt for individuals having power to boycott selectively. What you suggest is wholly disempowering to people – to claim this all or nothing narrative… that people should either not have email access at all, or they should have zero control over who they connect with over email. Your stance represents a boot-licking wet dream for corporations and governments. It has no place in any privacy community.

      • freedomPusher@sopuli.xyzOP
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        7 months ago

        Even from a narrow purely infosec-privacy PoV, how can people be so clueless this day in age with the fully enshitified web?

        It’s not going to be a simple text email with your receipt attached. The email will be HTML with a tracker pixel (text MIME part broken or generally non-existent), so the seller can log the fact that you read the receipt, when, and with what IP address. Then when you get the email open, it won’t even contain the receipt because it will be used as an opportunity to get you on their website where they can get more sales. It will say “come to our website and pick up your receipt”. When you try to visit the site with the unique URL they send, Tor will be blocked (under the guise of “security” but in reality they want your browser print and IP again in case you used a text-only MUA). This will give them what makes it trivial to link your online identity to your offline purchase (cha-ching… mo money). Then a Google Plastore-only non-FOSS app will be shoved in your face as a more convenient way to fetch your receipts in the future. You will have to solve a CAPTCHA to reach your receipt, which generates more profit for them while steering people toward a shitty app.

        It will be like London Heathrow or JFK airport, where you cannot simply walk to your gate without being long-hauled through a series of marketing opportunities.

        And before you irrationally call this “paranoia” as well, I will preempt that by saying no, it’s capitalism. Which brings us the enshitified web.

  • Chozo@fedia.io
    link
    fedilink
    arrow-up
    2
    ·
    7 months ago

    I wonder how difficult it would be to make digital receipts into a simple PNG file that you can use your phone’s NFC to transfer the image directly to your device from the PIN pad. I know I’d be more likely to actually get a receipt if the digital option was as simple as tapping my phone and saving an image; especially if it was through a local, ad-hoc transfer that didn’t require transferring your data around the planet three times before getting a text message with a link to a website that may not even function a month from now. I feel like fixing the security of digital receipts would also fix a lot of the inconveniences that digital receipts currently present.

    • freedomPusher@sopuli.xyzOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      7 months ago

      NFC would encourage phone upgrading which is worse for the environment than the problem they think they are solving. Paper is biodegradable. Phones are not.

      Android 2.3+¹ supports bluetooth file transfers. This would avoid both the problem of using cloud energy and privacy problem (but only for smartphone owners who carry their smartphones). The article mentioned PDF being rejected. PNG could work, though it’d be a missed opportunity to get a digitally signed receipt. In any case, the paper receipt cannot be wholly replaced if it requires consumers to have a phone and to carry it, or if it requires sharing email addresses.

      ¹ maybe even AOS 1.8… didn’t check