Please explain: Why Quicken Classic is "stealth stealing" a copy of user's personal financial data

DevNull

😡 Quicken Classis R53.16, Windows 11/10/7

In as few words as possible:

• When did this abhorrent behavior and breach of user trust start, i.e. which Release?
• Why does Quicken automatically upload my private financial data without user permission?
• Why does Quicken block the user from blocking Quicken from stealing the user's personal and private financial data?

I am aware you can go to: Edit —> Preferences —> Quicken ID & Cloud Accounts —> Edit data - to rename and delete all but one file.

However, it re-uploads any time you access, i.e. open, a QDF file. Also seems as though it "scanned" drives and/or folders for files that were not accessed by the user. (have not performed extensive testing on the "scanning" behavior yet)

jacobs

@DevNull I think you perhaps have some misunderstandings about how Quicken works.

If you don't choose to use the Quicken mobile app or web interface, you can set Quicken Cloud to not sync any of your desktop data to its cloud servers. (And if that data currently exists, you can delete it and, with sync to Quicken Cloud disabled, prevent it from being uploaded again.) On the other hand, if you want to use either the mobile app or web interface, that requires Quicken to store a copy of some of your data in its cloud servers in order for those services to work. There's nothing stealthy or abhorrent about that.

The next layer is how you connect to your financial institutions. If you choose not to connect your accounts for downloading, and enter everything manually, then none of that data is uploaded to Quicken's cloud servers — and some Quicken users operate this way. If you want to download your transactions, as most Quicken users do, then it depends on the connection methods your financial institutions offer. If your financial institutions utilize Direct Connect, the data flows between the financial institutions server and your desktop Quicken, and isn't store in Quicken's cloud servers. If your financial institutions utilize Express Web Connect (EWC and EWC+) for Windows, or Quicken Connect for Mac, then this is an aggregation service where data flows from your financial institutions to a Quicken server to your desktop data file. There's nothing stealthy or abhorrent about that, either; it's how Quicken has worked since connectivity was invented decades ago.

Why does Quicken automatically upload my private financial data  without user permission?

Have you read Quicken's Terms of Use? You agreed to these Terms of Use (formerly called the End User License Agreement, listed here going back to 2003) when you first registered Quicken or your Quicken subscription. There's lots of legalese in them, but it includes statements like this: " In order to provide full Product and Service functionality, we must have access to the Content that you store or process using a Product or Service. You grant us, our Suppliers, and each of our affiliates permission to collect, send, receive, process, store, alter, and create new information based on your Content, Credentials, and other information."

P.S. Please understand that this is a community forum, with mostly fellow Quicken users here, along with a few Quicken moderators who keep things organized and answer some questions. But you're not talking to Quicken executives here, so if you're looking for explanations about why policies are the way they are, no one here can answer; if you're looking to understand what data Quicken uses and how you can control that, then hopefully fellow users can help and you'll get some helpful responses here.

Boatnmaniac

From my perspective, nothing has really changed regarding this as it's been this way for perhaps more years than I've been using Quicken (since 2010). But what has changed is that Quicken appears to be more transparent about it than in the past.

Chris_QPW

A bit of history (Windows version):

Express Web Connect was created in 2009. By definition:

https://www.quicken.com/support/how-quicken-connects-your-bank

• Express Web Connect is a one-way connection. Data is imported into Quicken, but Quicken cannot affect your transactions or balances in any way.
• Access and retrieval of data is automated through the use of nightly updates. During these updates, our aggregation partner logs in to your bank's website on your behalf. Generally, this happens once a day and outside of business hours. Because of this, you may notice login activity on your bank's website overnight.
• Your login credentials are stored on our aggregation partner's servers. This makes updates faster for you.
• Your financial data is stored on Quicken-hosted servers. This provides a more complete history of your financial transactions than is typical for data stored on bank's servers.
• Our aggregation partner uses state-of-the-art security measures to protect your login credentials and your financial data.

The "aggregator" is Intuit, Quicken Inc pays them for this service.

Quicken 2014 was the first year for the Quicken Id/Quicken Cloud dataset. The Quicken Cloud dataset is where the Quicken Connection Services stores information it needs to provide various online services. Which services depends on which you decided to use and has expanded quite a bit over time.

At the time the data flow for Quicken Desktop to get the data: Quicken (the program) ←> Intuit ←> financial institution.

Quicken 2015 introduced Quicken Mobile/Web (and Sync to Mobile/Web). Quicken from what I know this is first time transaction data was stored in the Quicken Cloud dataset. Quicken Mobile/Web can be thought of as the GUIs to view this data. But note that besides syncing data from the Quicken Desktop data file to the Quicken Cloud dataset, the Quicken Connection Services also retrieve transactions and store them in the Quicken Cloud dataset and do this periodically or by request from Quicken Mobile/Web.

Quicken (the program) ←> Intuit ←> financial institution

So then add in:

Quicken Connection Services ←> Intuit ←> financial institution

And:

Quicken Desktop ←> Sync to Quicken Connection Services

About a year or so after Quicken was sold, the flow was changed to:

Quicken (the program) ←> (Sync) Quicken Connection Services ←> Intuit ←> financial institution

They stated that the main motivation was so that Quicken Inc was in this flow to detect connection problems, but it is also easy to see that it simplified the whole interface. Side note Quicken Mac was using Quicken Connect Services like this a few years before Quicken Windows changed to it.

Express Web Connect + was added about 2 or so years ago and has the same data flow. The main difference between them is that the connection between Intuit and the financial institution is standardized and more secure than Express Web Connect which is just "an agreed way to get the data from a given financial institution.", which includes trying to log in as if they were the customer instead of a secure program.

Bottom line is that since Quicken 2014 there has always been a Quicken Cloud dataset that has been associated with your Quicken Desktop datafile. It will always be recreated even if you delete it because it is needed to provide whatever services you request. Note for instance if only uses Quicken Bill Manager some information about that is stored there, and there are other services that use it.

DevNull

Problem resolved thanks to a Quicken Classic sign-in page for Mobile & Web on the internet. Turns out you can turn it off in Quicken via:

Edit —> Preferences —> Mobile & Web —> Sync Preferences —> Sync : On/Off - it was set to on by default, not by me. 😎

DevNull

I found the culprit and it was right there all along <happy camper mode restored to on...>

Problem resolved thanks to a Quicken Classic sign-in page for Mobile & Web on the internet. Turns out you can turn it off in Quicken via:

Edit —> Preferences —> Mobile & Web —> Sync Preferences —> Sync : On/Off - it was set to on by default, not by me.

In a nutshell: I do not consider the mobile platform as entirely trustworthy (We can have a spirited debate about that elsewhere - But my first question would always be: Have you read the entirety of every EULA or Terms of Use for your mobile apps?), hence I do not use it for aggregated accounting of my finances.

Also, thanks for the other information on Quicken in general in the replies from the team(s).

😎 I accidentally posted the above as a new question but cannot delete it. Will try neutering it there..

jacobs

Yes, turning off Quicken's cloud sync is exactly what I wrote about in my first reply to your original post. Please make sure that once you have turned San to Off, you go back to Settings > Connected Services and click Reset for for Cloud file. While Turning Sync off stops the syncing, your data is still in Quicken's cloud servers; resetting your cloud file wipes out the existing cloud data, and replaces it with a minimal cloud file that has none of your transactions, account login credentials, etc.

I don't use Quicken's cloud services, not because of concerns about Quicken harvesting my data, but because I don't entirely trust the syncing to be trouble free. I think most of the longtime users in this forum choose not to have Sync turned on for this reason. It's a good concept, but unless it's completely flawless, it's a risk to my carefully curated data.

DevNull

https://community.quicken.com/discussion/comment/20401171#Comment_20401171

Thx. I found it before seeing your post. I'm not following you on the "Connected Services". What path is it (see below) or is it for each "Account" (gear icon)?

What I did at first was to create an empty-ish (fake) QDF file, then I went to:  Edit —> Preferences —> Quicken ID & Cloud Accounts —> Edit data - to delete all but the new file. (I did this on multiple machines here) Then I went back later to turn off sync and even the fake-ish file appears to be gone.

BTW: I'm not entirely adverse to cloud, just very cautious and yes, I read EULAs etc., and no they should not be 14 pages of legal-eze - IMHO. Actually, they try to teach that in law schools these days, but it has not seemed to have caught on just yet 😉

TBH: Your explanation of the data flow of Express Web Connect gives me a bit of pause, especially given my Bank warns me that Authorizing thirds parties is inherently risky. They made it sound like Express Connect didn't require a third party processor. I've not used Direct Connect as my banks charge for the privilege. Sounds as though I need to revisit how much the additional security (less third parties) might be worth paying for. I had just thought they were trying to grift me…

FWIW: Been using Quicken on Windoze since at least 1998. Used Managing Your Money (MYM) for years before that.

DevNull

Thx. https://community.quicken.com/profile/jacobs I found it before seeing your post. I'm not following you on the "Connected Services". What path is it (see below) or is it for each "Account" (gear icon)?

What I did at first was to create an empty-ish (fake) QDF file, then I went to:  Edit —> Preferences —> Quicken ID & Cloud Accounts —> Edit data - to delete all but the new file. (I did this on multiple machines here) Then I went back later to turn off sync and even the fake-ish file appears to be gone.

BTW: I'm not entirely adverse to cloud, just very cautious and yes, I read EULAs etc., and no they should not be 14 pages of legal-eze - IMHO. Actually, they try to teach that in law schools these days, but it has not seemed to have caught on just yet 😉

TBH: Your explanation of the data flow of Express Web Connect gives me a bit of pause, especially given my Bank warns me that Authorizing thirds parties is inherently risky and not necessary. They made it sound like Express Connect didn't require a third party processor. I've not used Direct Connect as my banks charge for the privilege. Sounds as though I need to revisit how much the additional security (less third parties) might be worth paying for. I had just thought they were trying to grift me…

FWIW: Been using Quicken on Windoze since at least 1998. Used Managing Your Money (MYM) for years before that.

DevNull

https://community.quicken.com/discussion/comment/20399615#Comment_20399615

I don't use external clouds as I have my own perfectly good clouds internally. But there it was - all On and everything. I'm thinking it came On during the switch over to Quicken Classic maybe. I found out about it by accident while looking for another setting.

DevNull

Hat tip to https://community.quicken.com/profile/Chris_QPW 🎩 Great info!

"A bit of history (Windows version):

Express Web Connect was created in 2009. By definition:

https://www.quicken.com/support/how-quicken-connects-your-bank …"

jacobs

I'm not following you on the "Connected Services".

Sorry, I forgot you were using Quicken Windows. My description referred to where the settings are in Quicken Mac, which is the program I use; it's similar but slightly different terminology in Quicken Windows. Apologies for that confusion.

Louis Main Account

When I connect to a bank using web connect, it shows that all data goes through Quicken servers and is stored there whether or not you sync with you mobile app. It also seems that Quicken is forcing banks to use this new format so they can steal your data. Can someone confirm that web connect will always store your account details on their servers or does it not?

Chris_QPW

@Louis Main Account your terminology is wrong. Web Connect is downloading a QFX file and importing it. And in that case, it certainly doesn't sync unless you tell it to sync to Mobile/Web (that goes for Direct Connect too, which is Quicken (the program) to the financial institution directly)

For Express Web Connect/Express Web Connect + (or Quicken Connect for Mac) the data flow is:

Quicken (the program) ←> Quicken Connections Services/Quicken Cloud dataset ←> Intuit server (Quicken Inc's aggregator) ←> financial institution

They aren't "stealing your data" this is the flow needed to provide the service.

As for how long the data stays on their server unfortunately that has never been stated. It was hinted at times that Intuit holds about a month or two of recent data. For the Quicken servers it has never been stated, but since they are using the same "sync system/data storage" as the "Sync to Mobile/Web" is probably the same as that service and the answer for that would be forever or until the Quicken Cloud dataset gets reset for some reason. Help on connection types:

https://help.quicken.com/display/WIN/Change%2Bconnection%2Btype?_ics=1703302824463&irclickid=~oyQ~fnGVK~f.ba90VMJCApkg9~01UPJDvska5YNKB

Boatnmaniac

@Louis Main Account said:

It also seems that Quicken is forcing banks to use this new format….

The financial institutions decide which connection method(s) they will support. There are different costs and resource allocation requirements/commitments and security protocols with each of the 4 different connection methods. When they contract with Inuit to get added to the FIDIR list and set up with Quicken they tell Intuit which connection method(s) they want to be set up with. It is solely their call. So who is doing the "forcing" is the financial institutions, not Intuit/Quicken.

By "new format" I am assuming you mean Express Web Connect+ (EWC+). EWC+ is Intuit's/Quicken's response to the new FDX API protocol that has been developed by a consortium of a large number of some of the biggest financial institutions in the US and Canada. If you want to see some of the consortium's membership you can click on this link: https://www.financialdataexchange.org/FDX/FDX/The-Consortium/Members.aspx .

This consortium wanted to develop a new standard for a royalty-free, more secure method for financial data transfers. As the new standard is implemented by the financial institutions Quicken/Intuit must implement EWC+ or the financial information from those financial institutions will no longer be able to be downloaded at all. We shouldn't fool ourselves into thinking that Quicken & Intuit have much choice in this matter….they don't…at least not if they want them to continue downloading into Quicken.

….so they can steal your data.

It is only stealing if they are doing that without our permission or if they are using it in a manner that is not consistent with the terms and conditions. But all we users have given them this permission when we agreed to the terms and conditions when we installed the software. If we had not agreed to the terms and conditions we would not have been permitted to use the software.

jvogelaar

Interesting. Came across this discussion when looking into a new connection method Quicken said that Citibank has moved to, their notice was my first present awareness that Intuit was involved in some or all Quicken data connections. For privacy and security I preferred the days when my Quicken app connected directly with the financial institution, no data intermediaries… more places where my data makes he have to trust those places security from hacks and making use of my data in ways that I don't like. Alas… It also complicates investigating missing download data, have this situation where data occasionally doesn't get into my Quicken app— ha, is the missing data problem a Vanguard, Intuit, Quicken or my Quicken app problem. Ergh. I use Quicken Classic for Windows, have been a Quicken user since mid-1990s. This mostly "fyi" for anyone with Quicken who reads. :)

Chris_QPW

Yeah @jvogelaar, wouldn't we all have been better off if all the financial institutions had adopted the OFX/QFX protocol!

In the EU they mandated it. Their financial institutions have to support either OFX or another protocol that I forget the name of (or both). But our financial institutions are "free" to do whatever they like, which is to say it is like herding cats.

That is exactly why "aggregation" came about. Companies like Intuit trying to hack together a system to "somehow" get the data from all these nonstandard websites. And now that is the "standard".

FDX/Express Web Connect + will fail in the exact same way that OFX/QFX did. If only "some financial institutions" adopt it, then all that will happen is, yet another protocol will be added to a complicated mess.

Direct Connect/OFX/QFX only got about 4,500 financial institutions to use it, and that is probably down to about 2,000 these days. There are over 35,000 financial institutions in the US alone.

The handful of major financial institutions that will adopt FDX/Express Web Connect + will be a drop in the bucket for people that don't want to go with those few major players.