Thursday, 28 July 2016

S-Group and Customer Data Collection

Have't written here for a while, but as luck would have it here's a privacy story from Finland.

The supermarket chain S-Group are updating their customer loyalty scheme to make it more relevant for their customers, ie: direct advertising. The basic idea is that they'll make fine grained data collection from the various shops and services in the S-Group. Such data include the specific purchases as well as, of course, time stamps, locations, identity etc.

While various consumer organisations are incensed by this obvious infringement of people's privacy, the danger is really elsewhere.

For a start we have the classic massive data collection from which we can make all kinds of inferences - ostensibly the what, where, when and intriguingly why of consumer purchases. Down this road we see the also classic direct advertising mistakes - you bought milk last week so you'll buy milk this week ... seriously if a supermarket can't work this out without "BigData" then they have problems.

There's also the issue that inferences can have other unforseen effects:

How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did
Kashmir Hill, Forbes
Feb 16, 2012
"Every time you go shopping, you share intimate details about your consumption patterns with retailers. And many of those retailers are studying those details to figure out what you like, what you need, and which coupons are most likely to make you happy. Target, for example, has figured out how to data-mine its way into your womb, to figure out whether you have a baby on the way long before you need to start buying diapers."

That's really going to go down well with the Finnish regulators...

The part that really worry me is where S-Market states that it will keep the data for future usages. As I wrote in Privacy Engineering, any time you see a future use of data this should start alarm bells ringing. It means that you have no clear use case, no clear set of users of that data and are in effect over-collecting data on a whim. Collecting and keeping data for future use is a very high risk activity.

Nothing is mentioned in their literature about security, location of data etc - though I guess the standard "industry standard" answer (Tesco anyone?) will be used. Hint: I worked on those industry standards...they set out some of the base, good practices only.

I constructed a data flow model of as much as I understand about the system at the moment. It isn't much but over each of those flows is going your personal data. The dashed lines represent return data flows, the dashed circles represent "unknown" participants. Question: does this data get sold to 3rd parties?

Inferred DFD

In defence of S-Group they have announced this to all customers of their bonus scheme - though the language is a little flowery in places (did you know that their bonus scheme has won a prize?!).
Details can be found here and here, and you can obtain your data that is held in their customer registry, though I assume not the inferences made from that data. You can see this data from your S-Kanava account; also in writing though only once per year without charge.  You can opt-out whenever you want (though the opt-out is not retroactive as far as I can see) by calling +358 (0)10 76 5858 (calls cost 0.088eur/min - why not free if you were serious about privacy?)

As this scheme is not in operation yet obviously I can't comment on what data I will be able to see and control. I might for myself let it run for a month and then see what data I can get out of the system. I assume I will get the time, location and itemised list of products from every transaction I make; hopefully also the mechanism how I paid the particular cashier (at least till number) and so on.

Another final point is that all bonus money collected by customers is paid to an account in S-Pankki, but that's another story about compliance and interpreting the law.