Schneier on Security
A blog covering security and security technology.
« Pirated Windows to Remain Unpatched |
| Cryptanalysis of SHA-1 »
February 18, 2005
Security Risks of Frequent-Shopper Cards
This is from Richard M. Smith:
Tukwila, Washington firefighter, Philip Scott Lyons found out the hard way that supermarket loyalty cards come with a huge price. Lyons was arrested last August and charged with attempted arson. Police alleged at the time that Lyons tried to set fire to his own house while his wife and children were inside. According to the KOMO-TV and the Seattle Times, a major piece of evidence used against Lyons in his arrest was the record of his supermarket purchases that he made with his Safeway Club Card. Police investigators had discovered that his Club Card was used to buy fire starters of the same type used in the arson attempt.
For Lyons, the story did have a happy ending. All charges were dropped against him in January 2005 because another person stepped forward saying he set the fire and not Lyons. Lyons is now back at work after more than 5 months of being on administrative leave from his firefighter job.
The moral of this story is that even the most innocent database can be used against a person in a criminal investigation turning their lives completely upside down.
Safeway needs to be more up-front with customers about the potential downsides of shopper cards. They should also provide the details of their role in the arrest or Mr. Lyons and other criminal cases in which the company provided Club Card purchase information to police investigators.
Here is how Safeway currently describes their Club Card program in the Club Card application:
We respect your privacy. Safeway does not sell or lease personally identifying information (i.e., your name, address, telephone number, and bank and credit card account numbers) to non-affiliated companies or entities. We do record information regarding the purchases made with your Safeway Club Card to help us provide you with special offers and other information. Safeway also may use this information to provide you with personally tailored coupons, offers or other information that may be provided to Safeway by other companies. If you do not wish to receive personally tailored coupons, offers or other information, please check the box below. Must be at least 18 years of age.
Firefighter Arrested For Attempted Arson
Fireman attempted to set fire to house, charges say
Tukwila Firefighter Cleared Of Arson Charges
Posted on February 18, 2005 at 8:00 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Anyone that "believes" information is safe from abuse needs to step out of “neverland��? and into the real world where information is power.
If information were useless why would anyone want it? If people can’t think this through alone they are susceptible to abuse. Didn’t anyone ever tell them there is no such thing as a free lunch?
I don't think these exist.
Excellent post Bruce. I was shocked at a conference two weeks ago when Howard Schmidt said he is opposed to regulation and that he thinks shopper cards are a great technology advance.
This sort of nonsense does real harm to the information security practice since it gives a completely false sense of safety. There is documented risk and real danger to losing control of personal identity information, as demonstrated by ChoicePoint, etc. What percentage of people realize the serious personal risk they take by entering their data into an unregulated shopper-card database? Not many. Security practicioners need to alert people of the dangers and help bring fair regulation to the situation before a serious disaster and subsequent backlash occurs.
And of course, if you don't have your Safeway card with you, you can enter your phone number at checkout. Your database key is basically public information.
The scariest part of the system is that you don't even need any physical ID to use the Safeway Club Card account. All you need is your (or someone else's) phone number. I routinely use someone else's phone number when I make my purchases at Safeway. I don't know who the person is, nor do I have any intention of knowing.
The companies lure you into using these cards by providing admittedly very good sale prices. There is no other advantage to the customer, but there are myriad disadvantages.
If many people begin using other peoples' phone numbers, they'll all continue to get their sale prices, but they'll devalue Safeway's database into junk. Viola, problem solved.
The moral of this story is that even the most innocent database can be used against a person in a criminal investigation turning their lives completely upside down. --- No, the moral of this story is that inference is bad and should be avoided by all means. That's one of the reasons why CAPPS II would have been such a massive threat and why I am so strongly against the sharing of flight passenger data as the US require after 9/11.
Let's say this had happened in a small isolated town with one general store. The police might reasonably check whether the store sells that brand of fire starter, and if so, they might question the clerks. Is that an abuse? Let's say a clerk remembered the purchase because it's such a slow-selling item, and the two small town acquaintences had joked about the irony of a firefighter needing fire starters.
So let's say that as a result the guy comes under suspicion for 5 months until the investigation finally ends with somebody else's confession.
Is that an abuse? By whom? (Not to minimize the anxiety or 5 month disruption to an innocent person's life)
Let's say it occured in a larger town with more stores, and the police used some technique or tool to make it practical and effective to question a bunch more clerks, or read through the carbons of all their handwritten itemized receipts, is that an abuse?
How effective does their technique or tool need to be in order for its use to become an abuse?
What new checks and balances do we need in this case (police investigation of crime) to deal with the new ability to easily search massive amounts of inter-related data?
The problem has nothing to do with shopper cards and databases. The problem is with prosecutors and their willingness to press cases forward based on flimsy evidence. Read the book "Actual Innocence" for many examples of people who did long stints in prison as a result of this kind of investigative and prosecutorial sloppiness.
I have to agree here with the posters who point out that the culprit here is the law enforcement/prosection personnel, not the database. Furthermore, of all the complaints people make about privacy, I find grocery club cards the flimsiest. If you don't want to give away your data, don't get a club card. The store wants your data, and they are paying you for that data with reduced prices. If you don't like the deal, pay full price and keep your data.
"And of course, if you don't have your Safeway card with you, you can enter your phone number at checkout. Your database key is basically public information."
That's what I do. I have a friend who lives in Winnipeg. I always tell the checkout person her phone number. There are several of us who do it, so she "shops" all over the U.S. regularly.
As has been pointed out in several comments above (including Axel, David and Joe Ganley), the problem with this case is the alledged "poor" use of available evidence by the police, who might need a short course in statistics.
The specific issue here is the combination of: (i) are means (possession of fire starters type X), and (ii) motive (desire to destroy house, wife and kids). As stated, there is no evidence of opportunity.
Concerning motive, what proportion of arsonists are husbands or something similar; I assume a a fair proportion; lets say it is 20%. So, initially, the husband must be "in the frame". If he has no alibi, he stays in the frame.
In town, there are a lot of people, almost certainly hundereds, with possession of fire starters type X, only some of whom are identified by a lotalty card or other means. The husband is certainly one of them. There are also all those possible unpremeditated arsonists who might use stuff found at the scene, so there is a some chance that the husband's firelighters were used, but not by him. Thus, on the fire starter evidence alone, the probability of the husband doing it is less that 1%. However, he would have been much less of a suspect if the police had been unable to find any evidence of possession of the "means".
At this point, it might be worth considering how long fire starters of type X have been in the house (from this or previous purchases), and whether there is any evidence for a suspected increase recently in motive.
Given actual arson, and suspected attempted murder, surely the police should seek out all useful evidence, including purchase of the weapon (by all means, including loyalty card records).
Whether or not the police properly considered the balance of the evidence, their having used records for a loyalty card is irrelevent. That is unless you believe that God should wipe clean all evidence, except that pointing only to the guilty party, or that our due legal process should require the same.
I wonder whether frequent shopping cards are really any different from credit cards in this regard? I know from experience that a Best Buy employee at the customer service desk can use my credit card number to quickly look up my previous purchases. So if I shop at the grocery store with a credit card regularly, does this database exist whether or not I choose to participate in the frequent shopper card program? My impression is that if you don't shop anonymously and with cash, your purchases are tracked and logged, avoidance of frequent shopping cards notwithstanding.
There was an incident where a shopper slipped after encountering spilled yogurt. The shopper's kneecap was fractured when they slipped. The question arose as to whether the store was responsible. Apparently, the store planned to introduce the shopper's purchase records as evidence against the shopper. (Supposedly, these records showed frequent purchases of alcohol.) The store claimed that they didn't access the records and that they would not use them as evidence. See http://www.seattleweekly.com/features/9838/...
There is, I believe, an interesting difference between the USA and the UK (and many other EU and other countries). This is that, in the UK, businesses, government and other organisations are subject to laws on use and protection of data on individuals.
My understanding is that this means, broadly, that no organisation (excepting specifically authorised law enforcement agencies etc) can hold personal information without having an obligation to make copies available to the person involved. In most cases, the information may not be held, or passed on, without obtaining prior permission from the person involved. Usually, the holding of information is limited to purposes disclosed in advance to and accepted by the person involved.
All organisations holding personal information must register with the Information Commissioner (a government agency that reports to the UK Parliament). They must follow certain rules for good practice and are liable to legal sanctions for failures. See http://www.informationcommissioner.gov.uk/ for further information.
Personally, I find it very surprising that the USA does not have similar laws, especially given its general policy of protection of individual rights.
Lack of such laws does not, of course, prevent any company or other organisation choosing to exercise "good practice". Some of the information linked in the above discussion shows that Safeway have a policy that goes, at least, some way towards "good practice" as understood in the UK.
If I've not got it right, on the legal situation in the USA, please do post concerning what actually applies.
Some have suggested sharing phone numbers to defeat 'Loyalty' Cards. I don't think the stores care. They can learn plenty just by what we buy in one purchase without linking multiple purchases. Take Walmart. They don't have a card program, but have 460TB of shopping habbit information. They know what flavor of poptarts to stock up on before a hurricane. Unfortunately, the original NY Times article http://www.nytimes.com/2004/11/14/business/... is in archive. I seem to remember reading it in print in Fortune.
I agree with all those who say sloppy prosecutions are a problem, but believe this magnifies the potential harm from unregulated capture and release of personal identity information.
If customers had better control/protection of their data, there would be less risk from sloppy prosecutors purportedly digging up "smoking guns" all over the place.
Remember all the movies where people escape by crossing the river to erase their scent and avoid leaving tracks? Shopping in America is starting to feel like you have to walk barefoot into wet cement. And that is due to overwhelming market pressure that has little or no regard for security and safety concerns until AFTER a major disaster highlights the true risk (e.g. try to eat your next fast-food burger next to the burning mountains of manure in Nebraska). The market is broken and needs to be fixed.
>>In most cases, the information may not be held, or passed on, without obtaining prior permission from the person involved. Usually, the holding of information is limited to purposes disclosed in advance to and accepted by the person involved
That's of little help in this situation, where the organization being passed to is the government LEA (who manage to hold most of the exceptions to 'privacy laws'). The danger from Walmart frivolously data mining my name and FBI doing the same is significant.
This certainly is a problem with sloppy prosecution, but to discount the personal privacy and security issues on that basis is a mistake. Sloppy prosecution, inadequate intelligence amongst law enforcement (or any regulating body) and the inappropriate use of information should be the assumption--including businesses and individuals there, not just law enforcement.
The potential for misuse seems to have an almost causal relationship with actual incidents of misuse. By nature, humans push these types of situations for all they are worth, constantly testing the limits of the powers gained by new technologies and information. Trusting in the benevolence and goodwill of those who have access to this kind of information seems highly dubious (and downright unAmerican, really.)
All of you who identified local law enforcement and prosecutors as the problem here are right on. My attorney recently had a conversation with the PA who stated that he wished he had not been pressured by local law enforcement to charge me. They had shit for evidence and committed so many errors in their investigation that at times I almost wished for a trial. Remember I have 29 years in the fire service and have a background in fire cause and origin together with interview and interogation techniques. My second request for discovery included SOP's, records and reports that would have revealed their sloppy work. Wouldn't you know, shortly thereafter charges were dropped. Pity the poor accused who doesn't know any better.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.