Sunday, 22 February 2009

Urgent warning to American Express cardholders

If you have an American Express card, you need to take action now: Unless you cancel your card and close your account, or unless AmEx is persuaded to withdraw changes it has announced (effective 2 April 2009) to the terms of its agreement with cardholders, you will be deemed to have given your consent to receive calls including robocalls, and SMS text messages, from AmEx, in perpetuity, at any number you ever use to contact AmEx, including cell phones. That could be costly, damaging to your relationships with friends, family, and business associates whose phones you might need to use to call AmEx in an emergency, and put you in severe danger of having your information broadcast to strangers (if, for example, a robocall plays a recorded message to the receptionist at a hotel where you've already checked out, or another guest at the direct-dial number for the the room that you had once stayed in).

Before ATM's were so widespread, I used to recommend carrying an American Express card as a check-cashing card when travelling abroad. More recently, although their practices have prompted me to threaten to cancel my card, I've kept it as an emergency backup. This latest proposal, however, will definitely be the last straw for me if AmEx doesn't back down.

Here's the letter I've sent to AmEx in response to the fine print in my latest statement.

American Express
Customer Service
P.O. Box 981535
El Paso, TX 79998-1535

Re: proposed changes to terms of cardholder account

I have been an American Express cardholder for 20 years. My current AmEx card number is [redacted]. With my latest statement (dated 10 February 2009) I received changes proposed by you to our Agreement, including the following proposed new terms:

Effective April 2, 2009, the Telephone Monitoring/Recording section of your Agreement is deleted and replaced with the following:

"Telephone Communications

You agree that from time to time we may monitor and/or record calls between you (or Additional Cardmembers on your account) and us to assure the quality of our customer service or as required by law.

You authorize us to call or send a text message to you at any number you give us or from which you call us, including mobile phones. You authorize us to make such calls using automatic telephone dialing systems for any lawful purpose...

You authorize us to place prerecorded calls in connection with the status of your account, or security and identity theft matters.

You agree to pay any fees or charges you incur for incoming calls or text messages from us without reimbursement."

I do not agree to these proposed changes in the terms of our agreement. I request that you reply in writing, prior to 2 April 2009, to confirm either (1) that you have withdrawn these proposed changes or (2) that you have (a) closed my account, (b) added all telephone numbers that you have associated with my account to your do-not-call and do-not-text-message lists, and ( c) advised the person responsible for the decision to require these new terms that these terms are the reason for your loss of my business after 20 years.

I have an American Express card to use while travelling, primarily while travelling internationally. Of necessity, I use a variety of telephones and numbers to contact American Express while travelling, including telephones at the homes of friends and in the offices of business associates, friends' mobile phones, hotel phones, and public phones. When I use my own mobile phone abroad, it is typically at an extremely high "international roaming" tariff.

Even if I were willing to agree to terms like these for myself, I have no authority to consent to have the friends, business associates, and others whose phones I use to contact you receive calls (including robocalls) and text messages -- in perpetuity! -- from you. Consent for such calls and text messages could come only from them. Were I to purport to consent on their behalf, as you have proposed, I would subject myself to potentially severe liability to them.

Because the phones I use while travelling typically are not my own, but are shared with and primarily used by other people, automated calls or text messages from you to those numbers are likely to be received by someone other than myself. As a result, such calls or messages are likely to result in the broadcasting of my personal information to third parties, and thus to facilitate invasion of privacy and identity theft. I cannot afford to take such a risk.

Return calls or text messages from you to the phone numbers I use while travelling could be prohibitively expensive to me (or to the third parties whose phones I have used). International roaming on a mobile phone often costs US$5/minute, sometimes more. And what if I need to borrow someone's satellite phone to contact you in an emergency, and they are then saddled -- in perpetuity! -- with the bill for an unlimited number of robocalls from you, at $10/minute or more? I simply can't afford to accept liability for such unlimited potential costs.

When I am at home or at work, incoming phone calls are an extremely costly interruption. It costs me time to take these calls, and more time to regain my concentration on my work. I can't afford to lose a potentially unlimited amount of time and productivity to your calls. But because my profession sometimes does generate urgent telephone inquiries, I can't afford to ignore the phone. If I were to sell a consulting client the right to interrupt me by phone, at any time, for life, at any phone number I ever use including my mobile phone, I would certainly charge them a lifetime retainer of at least $10,000, more likely at least $100,000.

Finally, outbound calls or text messages from you would have no useful value. Since I cannot verify whether they are actually from you, or from an identity thief or other pretexter or impostor, I cannot rely on outbound calls or text messages from you, and would not provide any information whatsoever in response to such a call purporting to be from you. The only action I would take, in response to such a call or message, would be to hang up and then call you at the number on my card to report the suspicious and presumptively fraudulent call or message.

I look forward to your reconsideration of this ill-advised proposal and your letter confirming the withdrawal of these proposed changes to our Agreement (or, if you insist on these terms as a condition of continuing to do business with me, confirming the closure of my account and your addition of all my phone numbers to your do-not-call and do-not-text-message lists).

Sincerely,

Edward Hasbrouck

p.s. I have posted this letter in my blog, and will post your reply there as well.

Again, you must take action, in writing, before 2 April 2009 (or whatever date was given in your AmEx statement for the changes in terms) or you will be deemed to have "agreed" to this. If you'd like to use my letter as a model, here are template versions in MS-Office and Open Office formats. If you get a response from AmEx, please post it in the comments, or e-mail it to me and I will post it.

[Follow-up: AmEx cancelled my card. Now what should I do? ]

[Follow-up: Some other card issuers are imposing similar terms ]

[Follow-up: AmEx continues to spam me ... after closing my account ]

Link | Posted by Edward on Sunday, 22 February 2009, 12:52 (12:52 PM) | TrackBack (11)
Comments

Way to go Practical Nomad. I'll contact AmEx myself and give them a piece of my mind.

Thanks!

Posted by: Paul, 23 February 2009, 05:05 ( 5:05 AM)

From: "Desiree C Fish", Vice President Public Affairs, American Express
To: "Edward Hasbrouck"
Date: Tue, 24 Feb 2009 15:52:38 -0500

Mr. Hasbrouck: We saw your blog and your email. We wanted to reply and we hope this helps address your questions.

Recently we added language to our Cardmember agreement explaining how we may communicate with our Cardmembers using telephone numbers including cell phones and texting.

We may contact our Cardmembers at a number that they provided us or one from which they called us.

We want to point out that Cardmembers do have some choices about receiving communication from American Express:

If a Cardmember doesn't want to receive marketing offers, including offers via land or cell phones, they can select not to receive them by logging onto americanexpress.com/communications and we won't contact them with any offers. Of course, we will contact Cardmembers for service related issues, for example if we detect fraud.

We don't send marketing or promotional offers via text message unless a Cardmember enrolls to receive offers. While we may text a Cardmember for servicing related issues, within the text message Cardmembers are given the option to unsubscribe.

Desiree Fish
Vice President Public Affairs
American Express

Posted by: Edward Hasbrouck, 24 February 2009, 13:10 ( 1:10 PM)

From: Edward Hasbrouck
To: Desiree Fish, American Express
Date: Tue, 24 Feb 2009 13:25:01 -0800

I have posted your message in my blog.

Unfortunately, your message appears to be a press release, rather than an actual response to my questions, especially with respect to my concerns about phone numbers that are used to contact AmEx, but are used by people other than the Cardmember.

You say, for example, "We may contact our Cardmembers at a number that they provided us or one from which they called us." But obviously what this means is that AmEx will *attempt* to contact the Cardmember by sending a text message or playing a robocall to a number *associated* with that Cardmember, with no possible way of verifying that the message will reach the Cardmember rather than another user of that phone number. Any assumption that a phone number is unique to a single person is clearly erroneous in any case, but especially for travellers.

More importantly, what is legally binding are the terms of the Agreement (i.e. the contract), not what is said in press releases.

Many of the statements in your e-mail message amount to (legally unenforceable) claims that AmEx will not do things which the proposed new terms will give you the legal right to do. Can I expect to receive notice, before 2 April 2009, of the incorporation into the terms of the legal Agreement of the statements in your e-mail message as to what AmEx will and won't do? Your reassuring words would be more reassuring if it they were legally binding.

I continue to await the reply from AmEx to my request to withdraw the proposed changes or close my account.

Sincerely,

Edward Hasbrouck

Posted by: Edward Hasbrouck, 24 February 2009, 13:30 ( 1:30 PM)

From: "Desiree C Fish", American Express
To: "Edward Hasbrouck"
Date: Tue, 24 Feb 2009 17:43:27 -0500

Regarding your questions and concerns about security and privacy, we take data security and privacy very seriously and we take appropriate steps to safeguard the privacy of our Cardmember's data and information regardless of communications channel. To your other question, both our privacy choices and the language from the Cardmember agreement are legally binding. We provide privacy choices to our Cardmembers so they can manage and limit the ways in which we contact them. Since you are a Cardmember, you can go to americanexpress.com/communications to manage those choices.

There are no plans to withdraw the recently disclosed language. We hope that we are addressing your questions. We value your Cardmembership but if you still would like to explore closing your account you would need to contact customer service. I would be happy to put them in touch with you or you could call the number on the back of your card.

Desiree Fish
Vice President Public Affairs
American Express

Posted by: Edward Hasbrouck, 24 February 2009, 15:09 ( 3:09 PM)

From: Edward Hasbrouck
To: "Desiree C Fish", American Express
Date: Wed, 25 Feb 2009 12:35:53 -0800

You still seem to be treating this as a public relations problem, rather than as a report of a security and privacy vulnerability and potential breach. That reflects badly on a company such as American Express, which has gotten significant competitive advantage from your *reputation* for being relatively respectful of your customers' privacy.

You say that, "We provide privacy choices to our Cardmembers so they can manage and limit the ways in which we contact them." But your response, as well as your terms and conditions and privacy policy, all make clear that you are *not* offering Cardmembers a choice as to whether you will place robocalls or send text messages to any phone number we have ever used to contact you: "We may contact our Cardmembers at a number that they provided us or one from which they called us."

While you offer the opportunity to opt out of calls and messages for *certain* purposes, it should have been clear from the scenarios in my my original article that my concerns are not specific to the purpose of the robocalls or messages. In fact, the potential for privacy and security breaches would likely be greatest in the case of calls or messages related to operational issues such as possible fraudulent transactions.

Mobile phones are the first target of snatch thieves and pickpockets, because to be useful they have to be carried in an easily accessible place. The typical demand in a hold-up, anywhere in the world today, is "Give me your wallet and your mobile." My mobile phone has been stolen more recently than my wallet, and there's a good chance that any thief who stole my AmEx card would probably get my mobile phone as well.

That means that any call or text message to my mobile phone in the event of an attempt to use my stolen AmEx card would most likely be received by a thief, not me. These are the circumstances in which robocalls or text messages would be *least* appropriate, and when it would be *most* essential to have any call placed by a human who could verify my identity by means other than the data contained on the card itself.

You say that, "We take appropriate steps to safeguard the privacy of our Cardmember's data and information regardless of communications channel." But no such steps are feasible in the case of a robocall recording or text message, when all that can be verified is that the recipient is the person who answers a particular phone number, or the person in physical possession of a particular mobile phone or SIM card -- not their identity.

Would AmEx knowingly and deliberately choose to engage in a practice that could expose you to liability for the consequences of such disclosures of personal information to thieves or to other users of shared phone numbers?

You say that, "We hope that we are addressing your questions." I have no way to know if you are addressing my questions. I was unable to find any point of contact for your Chief Privacy Officer or for reporting of security and privacy vulnerabilities or breaches, other than the general customer service 800 number. Do your call center agents receive training in handling such reports? I would expect that my report should have been forwarded to your Chief Privacy Officer and the person responsible for information security, whose identities and direct contact information are unknown to me. I'm surprised that I haven't heard from them yet.

I look forward to hearing from them, and will be interested to find out, after they have reviewed my report and the scenarios I have laid out, whether they still believe that a phone number alone is an "appropriate" or sufficient means of identity verification.

Thank you for your offer to put me in touch with AmEx customer service. I have already called them and sent them the letter I copied to you, requesting specifically that AmEx confirm in writing, prior to 2 April 2009, either the withdrawal of the proposed new terms -- which I can't afford to risk agreeing to -- or the closure of my account. If I don't hear from the customer service department, I'll make sure you receive the cut-up pieces of my cancelled card well before April 2nd, since I plan to leave for several weeks in Europe around March 25th.

I'll also alert my readers to the need for them to do likewise.

Sincerely,

Edward Hasbrouck

Posted by: Edward Hasbrouck, 25 February 2009, 12:41 (12:41 PM)

My card is a personal card. I've received one report from the holder of a *corporate* card, who investigated and was told by their employer that the proposed new AmEx terms don't apply to their corporate card agreement. That may or may not be true for other corporate cardholders, especially since some large companies have individually negotiated contracts with AmEx. So if you have a corporate card, check with AmEx or your company to be sure whether these new terms will apply to your card.

Posted by: Edward Hasbrouck, 25 February 2009, 12:48 (12:48 PM)

My AmEx card was issued in the USA, with a billing address in the USA. I don't yet have any information on whether similar terms are in effect, or have been proposed, for AmEx cards issued in other countries.

Posted by: Edward Hasbrouck, 25 February 2009, 13:55 ( 1:55 PM)

Thanks for bringing this to our attention, Edward.

I have submitted a customer service request through the AmEx website, asking for my comment to be forwarded to AmEx's Chief Privacy Officer.

In my comment, I advise AmEx to modify its Terms of Service to clearly state, in the same section of the ToS where this expanded claim of right to contact cardmembers is asserted, the very limited and specific anti-fraud purpose implied in VP Public Affairs Fish's email back to you, and specifically limiting all other contacts to only those channels explicitly registered by AmEx cardmembers. In my message to AmEx, I request a personal reply from AmEx's CPO.

Jay Libove, CISSP, CIPP
Global Data Protection Manager
Transcom Worldwide

Posted by: Jay Libove, CISSP, CIPP, 25 February 2009, 14:04 ( 2:04 PM)

Bravo for you letter and efforts. I just received my Amex statement today with the new terms.

I spent a half hour on the phone with a CSR who was not familiar with the issue but sympathetic. Then she asked me to confirm my cell phone number. But I had never given Amex my cell phone number. How creepy!

I was then transfered to a supervisor. The supervisor said that the opt out part of the card member agreement had not changed. She said that the ONLY part of the agreement that had changed was the title of the section from Telephone Monitoring/Recording to Telephone Communications.

She said that American Express does not allow consumers to opt out of changes in agreement terms.

Am now googling to see if others are as troubled by this as I am.

Posted by: Ingrid, 25 February 2009, 19:19 ( 7:19 PM)

According to Ingrid,

"The supervisor said that the opt out part of the card member agreement had not changed. She said that the ONLY part of the agreement that had changed was the title of the section from Telephone Monitoring/Recording to Telephone Communications."

This is false. Most of the language in this section, as quoted in my letter above, is new.

"She said that American Express does not allow consumers to opt out of changes in agreement terms."

This is also false, although AmEx presents their terms on a "take it or leave it" basis. You *can* opt out, although only by cancelling your card and closing your account entirely. Of course, AmEx doesn't want to point out that you have that option, since it would mean they lose your business.

Posted by: Edward Hasbrouck, 25 February 2009, 20:25 ( 8:25 PM)

Thanks for bringing this to my attention. I have an Amex Card, but am not willing to get robo calls while I travel overseas, 1) they will be on North American time which is often the middle of the night where I travel, 2) Why should I have to pay for the cost of a robo call or text message?

I passed on your blog as a story suggestion to the drudgereport. If they pick it up, it will get some legs.

I am also going to talk it up over at flyertalk.com.

Posted by: Jim Tarnaski, 25 February 2009, 22:44 (10:44 PM)

I received the following message (in its entirety) today from American Express customer service:

"This account is cancelled."

I guess they've made their choice: Unless you want a lifetime of robocalls and SMS spam broadcasting your personal information to anyone at any phone number you have ever used, you need to cancel your AmEx account before 2 April 2009.

Posted by: Edward Hasbrouck, 26 February 2009, 09:01 ( 9:01 AM)

From: "Desiree C Fish", American Express
To: "Edward Hasbrouck"
Date: Thu, 26 Feb 2009 13:26:21 -0500

Sorry to hear that you canceled your account.

Your suggestion that we would transmit sensitive customer account information via a text message or "robo call" is simply unfounded.

As we have said, we take data security and privacy very seriously and we take appropriate steps to safeguard the privacy of our Cardmembers data and information regardless of communications channel. For example, we would never have a conversation without validating who we were talking to and any outbound communication, including email, text or outbound automated calls would never have personally identifiable information included.

Desiree Fish
Vice President Public Affairs
American Express

Posted by: Edward Hasbrouck, 26 February 2009, 10:44 (10:44 AM)

From: Edward Hasbrouck
To: "Desiree C Fish", American Express
Date: Thu, 26 Feb 2009 10:55:45 -0800

You say, "Sorry to hear that you canceled your account."

I didn't cancel my account. AmEx chose to cancel my account. I asked for confirmation, before the effective date of the proposed changes in terms, either that the proposed changes were withdrawn *or* that my account was cancelled. The response from AmEx was, "This account is cancelled."

I understand from your action to close my account that you no longer want my business. As a journalist and consumer advocate, however, even if no longer (by your choice) as a customer, I remain interested in any response from your Chief Privacy Officer and/or the person(s) responsible for privacy and security vulnerability reports, to whom I had requested (through the only point of contact provided on your Web site or in your privacy policy) that my message be forwarded.

Sincerely,

Edward Hasbrouck

Posted by: Edward Hasbrouck, 26 February 2009, 11:01 (11:01 AM)

FROM: "American Express Customer Service"
TO: "Edward Hasbrouck"
Subject: Confirmation of Your Cancelled Card Account
Date: Thu, 26 Feb 2009 12:27:20 -0700 (MST)

Confirmation

Your Cancel Card Request
Member Since 1989
Your Account Number Ending: - [redacted]

Online Access:

Dear Edward Hasbrouck,

This message is to confirm that American Express has processed your recent request to cancel the following Card account(s).

Green Card ending in [redacted]

If you have other Card accounts registered for Manage Your Card Account online they will still be available online at www.americanexpress.com.

Sincerely, American Express Customer Service

This customer service email was sent to you by American Express. You may receive customer service emails even if you have requested not to receive marketing emails from American Express.

Posted by: Edward Hasbrouck, 26 February 2009, 12:26 (12:26 PM)

American Express has posted a new Privacy Statement on their Web site at http://www.americanexpress.com/privacy dated 24 February 2009 (Tuesday of this week, after my orginal article was published on Sunday).

The new "American Express Internet Privacy Statement" contains the following provisions that I hadn't seen before, and that weren't in the "Privacy Notice" that I received with my last AmEx card statement (along with the proposed revisions to the Cardmember Agreement) dated 10 February 2009:

Updated: February 24, 2009

Please note that even if you choose not to receive future direct marketing e-mails and/or offline offers or promotions, we may continue to send you service notifications, via e-mails or offline means, about your account(s) and related products and services, and such notifications may still include offers or promotions about your account(s) and related products and services. Such notifications may also provide account information (including information about servicing communications based on your customer status), answer your questions about a product or service, facilitate or confirm a sale, or fulfill a legal or regulatory requirement. In addition, you may still continue to receive marketing e-mails and offline offers or promotions from American Express Publishing.

Posted by: Edward Hasbrouck, 26 February 2009, 12:41 (12:41 PM)

From: "Desiree C Fish", American Express
To: "Edward Hasbrouck"
Date: Thu, 26 Feb 2009 15:11:55 -0500

It wasn't clear from your email. I am not aware [of] actions to your account. I am happy to reach out to customer service to get more information if you wish.

The statement I provided you was provided to you after working with the privacy office. That is the response to your inquiry.

Posted by: Edward Hasbrouck, 26 February 2009, 12:45 (12:45 PM)

This practice is disturbing on a number of levels. The actions of AMEX, and probably other creditors that will undoubtedly soon follow suit, exacerbate fraud and the growing trend scammers are using smishing (text) scams!

Warning their customers that AMEX has the right to text or call them on any phone number the consumer may have ever called them on, and whenever they want to, while making the consumer responsible for the cost, is not only placing their customers data at risk for identity theft -but is a self serving, dangerous and a needless practice that should be stopped in its tracks!

How will consumers be able to determine if a call/text is legitimate or a scam? Consumers have been warned over and over that legitimate creditors will never use email or text messages to contact them regarding their account. Now this latest action by AMEX seems to be playing right into the hands of thieves and scammers. Way to go! Identity theft is the fastest growing crime in America - and with policies like this, is there really any wonder why? Until creditors (and the cra's) decide to become part of the solution - they remain the problem! Some ask, do these companies really need to be legislated into being responsible? Clearly - that's a resounding YES!

Posted by: Denise Richardson, 27 February 2009, 08:10 ( 8:10 AM)

So is one solution to avoid the cell phone capture concern is to call Amex via Skype? I just called my personal toll free number via Skype while in the US and the originating phone number transmitted as 202-580-8200. If you call back this number, you will get a fast busy signal. I have used Skype to call US toll-free numbers from outside the US without a problem.

An added bonus, US toll free numbers are free via Skype. This was great when I need to call airlines and other companies back in the US while traveling.

This doesn't solve the underlying issue of Amex's policy, but at least you can do something about it until it gets fixed.

Posted by: askmrlee, 2 March 2009, 16:08 ( 4:08 PM)

just talked to AMEX

claims amex did not send that

claims they have provided OPTION for customer to select that service.

Posted by: , 19 May 2009, 13:25 ( 1:25 PM)

American Express! What are you doing to your loyal cardholders? 20 years I have been a loyal cardholder, unofficial marketing rep, on-time payer, and more than happy with my card. Now, it seems weekly I am getting limit changes, request for payments early and threats to cut off my credit. I have never been late with a payment and have a superior credit rating. Just so you know, this is causing some serious dis-loyalty amoung your good cardholders and a fleeting thought to pay back the thankless way you are dealing with us by just quitting payng altogether. Is the economic condition of AMex really so bad that you would jeapordize your good clients. I am so concerned but mostly just angry. WTF!

Posted by: Ex Loyal cardholder, 23 November 2009, 11:16 (11:16 AM)

A friend of mine experienced a huge trouble with her credit card bills. She finally found out that she was then a victim of credit card identity fraud. really bad, but this is the reality.

Posted by: , 28 July 2010, 07:26 ( 7:26 AM)
Post a comment









Save personal info as cookie?