WASHINGTON — Not long before headlines exposed National Security Agency programs that secretly collect records of Americans’ phone calls, another surveillance system got far less attention: Nordstrom, the department store chain, acknowledged it was tracking customers without their knowledge in 17 stores.
Nordstrom had hired a company to log a unique number emitted by shoppers’ smartphones, which automatically connected to Wi-Fi systems as they moved through the stores. A day after a Dallas TV station broke the story last month, Nordstrom announced it was discontinuing the program.
The Palo Alto company that sold the tracking service, Euclid Analytics, has tracked 50 million devices in 4,000 locations for 100 corporate and other customers, its founder has said. Shoppers are free to opt out, but the process is complex — they must enter their phone’s media access control address, known as a MAC address, on Euclid’s website.
Self-confessed leaker Edward Snowden’s disclosures about domestic spying by the NSA have sparked a broad debate about whether the government is using sophisticated surveillance and data-mining techniques on its own citizens without sufficient oversight.
But information gathered and exploited by Internet giants such as Google, Amazon and Facebook — and traded by lesser-known data brokers such as Datalogix and Acxiom — can be more revealing than what the NSA can legally collect on most Americans. Few consumers understand what data are being shared, with whom, or how the information is being used.
“We normally think of the NSA as being far ahead of corporate America, but I’m not so sure they are that far ahead anymore,” said Mark Herschberg, chief technology officer at Madison Logic, a New York-based company that provides data for advertisers.
“There are thousands of companies out there collecting information on customers, and together they are really aggregating quite a bit of data,” he added. “Google is reading through your email. Amazon is looking at not just what you buy, but what you shop for.”
The collection and analysis of consumer information in bulk is enabled by what has been dubbed the “Big Data” revolution — the combination of digitization, cheap storage, robust computing power and sophisticated analytics that allows experts to find correlations in ever-expanding pools of data.
In many ways, Big Data has been a boon for consumers, allowing companies to tailor products and services. Netflix says three-fourths of its film and TV show rentals come from its own recommendations, which rely on automated analysis of customer preferences.
Big Data also has the potential, advocates say, to improve medical outcomes, streamline government services and reduce crime. The Los Angeles Police Department is analyzing data to isolate hot spots in its “predictive policing” program, for example, steering officers to where crimes are expected to happen.
The downside may be just as dramatic, however.
Most Americans emit a stream of personal digital exhaust — what they search for, what they buy, who they communicate with, where they are — that is captured and exploited in a largely unregulated fashion. The information can be used by identity thieves, insurance companies, prospective employers or opponents in a civil lawsuit.
“How do I express my privacy requirements? Increasingly, it means I have shut off my phone and become a digital hermit,” said Ian Glazer, a vice president at Gartner Inc., an information technology research and advisory company.
In addition to privacy threats, he said, “there is a fundamental problem with fairness, in the sense that I am generating all this data about me through my devices, and these organizations are harvesting it and making a profit off it.”
Google says it uses algorithms, not humans, to mine the content of Gmail messages. Thus if someone sends a digital note about an upcoming trip, the computer may generate an ad for an airline or hotel.
Amazon and other companies track online shoppers and display ads for items their customers perused as they browse other websites. Retailer Target was able to use purchasing patterns to figure out when women were pregnant and target ads accordingly.
Smartphones double as tracking devices, sending periodic signals that disclose their locations. Though the NSA says it does not collect that information about Americans, numerous popular applications, including Angry Birds and Yelp, do so for their developers, using precise coordinates from cell towers and GPS systems. Some sell the data to third parties.
Mobile carriers, including Verizon Wireless, have begun selling aggregate location data. Verizon, on its website, promises advertisers “detailed demographics; location analysis to determine where your target consumer segment lives and works; and foot-and-mobile traffic habits,” though not names or phone numbers.
“These companies have been practicing what I call privacy arbitrage for the last 10 years or so, mining all of our personal information,” said a former U.S. intelligence official who now works for a data company.Heasked for anonymity so he could be more candid. “I don’t know to what degree the common person understands how much data is being collected about them by these Silicon Valley companies that are saving the world.”
Just as NSA officials say the agency uses data on Americans only to hunt for terrorists and spy on foreign adversaries, Silicon Valley executives say they use personal information only to sell advertising and improve the customer experience. Much of the data they store are anonymous, they say. They don’t care about customer names.
Yet anonymity can be temporary. In a study published in February in the journal Scientific Reports, researchers were able to sort through location data on 1.5 million people and uniquely identify 95% of them based on four hours of tracking. The big social networking and shopping sites do in fact store names, email addresses, credit card information, shopping and browsing histories.
Even if the NSA, Google and Verizon have strong incentives not to abuse the data they collect, they can’t always control it. Just as Snowden purportedly used his special access as a network administrator to download documents he wasn’t supposed to see, Google in 2010 disclosed that it had fired a systems engineer after allegations that he had improperly accessed the email and chat content of four teenage customers.
Officials at Euclid, the company that helped Nordstrom track its customers, declined to comment. But in a March letter to Sen. Al Franken (D-Minn.), who criticized the company, founder Will Smith said Euclid did not obtain the names or phone numbers of customers and didn’t share or sell its data with others.
Most consumers “probably don’t understand what data is being collected,” said Evan Reiser, chief executive of the San Francisco firm AdStack, which uses millions of detailed consumer profiles to customize targeted email advertisements. “A lot of companies could do a much better job explaining that.”