Mugging as a feature, not a bug...

This post isn't going to go far in what financial privacy is or why it matters -- though if readers wanted to engage on privacy tools, news, strategies, philosophy, I would love to talk about it, and hope you'll reach out through the Guestbook. There are also some great books and information pieces you can find online from university researchers, private investigators, legal or law enforcement professionals, famous hackers, and so on. I preface with this because for so many people I encounter, digital privacy sits squarely in their blind-spot; they often have some vague awareness of it, but it may seem too techie and overwhelming; and in any case, they don't expect it to be important to someone they're talking to.

The purpose of this post is to share what I've learned about how to navigate a specific "cashless" food service operation on our university's campus -- by a company called Chartwells -- which came to the university a couple of years ago. "Going cashless" is a strategic priority for the Chartwells. This anti-privacy measure forces customers to use their credit card for all transactions -- which links everything associated with their purchase, including hidden details like digital exhaust from their cell phone or behavioral analytics to their personal identity. "Going cashless" is a marketing term of art for "no cash allowed" -- meant to mislead to their customers into believing they're receiving a benefit. In reality the only beneficiaries are Chartwells, financial processors and data brokers who receive financial benefit from your data -- it's worth money to them. When you had a choice to use cash -- they made less money. So they took that choice away from you -- and now they make more money. To amplify the value Chartwells et al. receive from "going cashless", the university provides a captive customer base -- aside from 3 sidewalk lunch vendors and a handful of snack & drink vending machines on campus, there are no other food service companies allowed to operate on the university's campus of 15,000 students + all of the faculty, staff and other employees and contractors who support them.

So... what's a privacy-focused person to do if they want to use cash for small, every-day sorts of things...like coffee, or lunch?

How to use cash at Chartwells

Chartwells installed a credit-card vending machine near their storefront in the student union. I'll be frank here -- I don't think this is any kind of indicator that they respect privacy -- I suspect it has more to do with capturing business from whatever percentage of young people don't yet have a credit card of their own (as high as 23% of adults don't have a credit card according to BankRate.com). The vending machine is not as easy to use as cash -- but it is possible to use this in a privacy-centering way. A few things to know:

1. You pay for a card with cash -- from $1 to as much as $500.
2. You can't re-load the cards.
   1. If the balance on the card gets too low to buy anything, you can spend the remainder of the card on a purchase that is larger than the remaining balance, but only if you know the exact amount it has on it, and only if you get a Chartwells employee who knows how to run multi-card transactions...because you'll have to buy another card to cover the remainder of the purchase.
      1. DO scan the card on the vending machine you bought it from to get the current balance.
      2. DO write the updated balance on the card with a Sharpie after every purchase if you use the card at other locations on campus where there is no vending machine.
      3. DO NOT use the web address on the back of the card for looking-up the balance -- especially not with your phone or computer -- unless your intention is to give-up on maintaining privacy altogether, in which case, what is the point of using the card in the first place?
3. The cards have a 90-day dormancy fee.
   1. The card will be charged a $3.95 "dormancy fee" that can eventually zero-out your balance if you don't use it.
      1. DO limit your risk of loss by not putting more money on the card than you think you will use in 3 months.
      2. DO NOT put more money on the card than you can afford to lose.
4. There is a camera pointed at your face on the vending machine.
   1. One of my friends speculated it was like an ATM -- just an innocent security measure that would never be abused. You're free to think so. I don't have any reason to trust Chartwells -- the "going-cashless" anti-privacy measure is strike 1, they don't say what they use the camera for, strike 2, and companies are increasingly harvesting personal identity through facial recognition -- FaceBook, RiteAid (check out their recent FCC penalty) and many others do this -- and that's strike 3.
   2. As for me -- I was pleased to see that someone had covered the camera with a placard, which has remained in place for several months now.

What else is there?

Living a privacy-focused lifestyle can require changing the way you've grown accustomed to engaging in certain daily activities -- like coffee or lunch. It might feel a little unfair or uncomfortable right at first, but honestly, there is some reward in it. I have a pour-over coffee setup in my office -- an electric kettle for heating water, a filter that sits on my cup, and a jar of ground coffee that I bring in from home -- it's cheaper (less than $1), faster, and makes a better cup of coffee than what I can buy at Chartwells; instead of walking over to the student union to queue for a $3 cup of so-so coffee in a 12oz paper cup with a plastic lid, I can take my break walking around our beautiful campus with a re-usable travel mug full of amazing coffee. Instead of walking over to the student union to queue along with hundreds of students for a fast-food lunch, I can bring a lunch from home that is much healthier, and find a peaceful spot on campus to enjoy it. Overall, while I still hope we can have more food options on campus that take cash, I have come to quite enjoy the slower pace, healthier options, sustainability and cost-savings of providing my own coffee & lunch.

How did we get here?

University administrators are not bad people and they don't have bad intentions -- let's get that out of the way. The fact that legitimate companies like Chartwells operate like this, and it's not just 'hackers' or 'scammers' that predominant narratives tend to focus on; and the reality that this behavior can pose significant and prolific threats to personal privacy is something that still doesn't seem quite real to a lot of people; University administrators are just starting to wake-up to this through some very soft-challenges from employees speaking out. The intrusion into our personal lives caused by various technology-related decisions they impose on the campus community, and the fact that their senior and functional leadership, project sponsors, and other influential decision-makers may bear responsibility for that, is a new concept for them as well. And no -- they don't want to believe it -- denial, defensiveness, distraction follow from there.

This post has been centered on Chartwells' "cashless" mode of operation and how to navigate that specific anti-privacy scenario, though there are many other anti-privacy intrusions to be aware of. These include Windows 11 monitoring & how it employs AI, cell phone apps we are all 'encouraged' to put on our phones in order to protect university resources and facilitate delivery of university tools, services and benefits (Email, MFA, Bus Pass, Campus Security, Facilities Repair, and more), 3rd-party service providers (for background checks, unofficial department software, etc.), and so on. University administrators continue to say that they don't 'require' any of this -- though they have moved so far into this territory by now that at this point most key university functions would fail without such anti-privacy intrusions. Imagine if all employees & contractors were to leave their personal cell phones at home for just one day -- we would likely see very little work get done.

Where can we go from here?

I would love to see the university bring a personal privacy lens into it's evaluation of new projects, contracts and partnerships. How wonderful would it be if they didn't wait until they thought they could get in trouble for failing to address it -- like we saw them do with prioritizing web accessibility in past years. Just the acknowledgement that what administrators do in this space can have a significant effect on employees' personal lives would be a big step in the right direction. More than that, they bargain on behalf of thousands of students and employees -- which can bring a lot of bargaining power to the table when working out an agreement with companies and partners -- and I expect in many cases they would be able to insist on certain privacy-respecting features or provisions in those agreements -- like accepting cash at the campus food service provider's storefronts. They are no strangers to this -- they already leverage their bargaining power to negotiate lower prices on equipment, software, and much more. In cases where a company may not be willing or able to provide the required privacy features -- and let's face it, many companies integrate data-harvesting into their business model so tightly that it cannot be turned-off -- the university can look for a different product or provider that is more privacy-respecting. They can also make sure to provide alternatives to anti-privacy products and make sure employees know about them. For example, having a process to reimburse an employee for the cost of an anonymous bus pass that they purchase with cash at the bus station could provide a vastly more private alternative to a bus pass managed through a phone app that has access to your photos, contacts, location, social media and more. They might also make a mention, in their promotion of anti-privacy phone apps and other initiatives on campus, of the risks involved to personal privacy, and the fact that they take no responsibility for the security of the app -- that it's up to the user to decide whether or not to install it. And maybe -- one last thing -- they can stop abusing the trust the campus community places in them by telling employees that anti-privacy, invasive apps have "the best privacy policy I've ever seen", in order to further their adoption-rate goals.