By Steve Weinstein
By Devon Maloney
By Tessa Stuart
By Alison Flowers
By Albert Samaha
By Jesse Jarnow
By Eric Tsetsi
By Raillan Brooks
They thought they were making routine purchasesthe innocent, everyday pickups of charcoal and hummus, bleach and sandwich bags, that keep the modern household running. Regulars at a national grocery chain, these thousands and thousands of shoppers used the store's preferred-customer cards, in the process putting years of their lives on file. Perhaps they expected their records would be used by marketers trying to better target consumers. Instead, says the company's privacy consultant, the data was used by government agents hunting for potential terrorists.
The saga began with a misguided fit of patriotism mere weeks after the World Trade Center and Pentagon attacks, when a corporate employee handed over the recordsalmost literally, the grocery liststo federal investigators from three agencies that had never even requested them. In a flash, the most quotidian of exchanges became fodder for the Patriot Act.
When the company's legal counsel discovered the breach, she turned for advice to Larry Ponemon, CEO of the consulting firm Privacy Council and a former business ethics professor at Babson College and SUNY. "I told her it's better to be transparent," Ponemon recalls. "Send a notice to loyalty cardholders telling them what happened. She agreed and presented that to the board but they said, 'No, we don't want to hand a smoking gun to litigators.' " The attorney, who has since resigned from the grocery chain, declined through Ponemon to be interviewed or to identify herself or her former employer. To this day, the customers haven't been informed.
"It wasn't a case of law enforcement being egregiously intrusive or an evil agency planting a bug or wiretap. It was a marketing person saying, 'Maybe this will help you catch a bad guy,' " Ponemon says.
As John Ashcroft's Citizens Corps spy program prepares for its debut next month, it seems scores of American companies have already become willing snitches. A few months ago, the Privacy Council surveyed executives from 22 companies in the travel industrynot just airlines but hotels, car rental services, and travel agenciesand found that 64 percent of respondents had turned over information to investigators and 59 percent had lowered their resistance to such demands. In that sampling, conducted with The Boston Globe, half of the businesses said they hadn't decided if they'd inform customers of the change, and more than a third said outright that they wouldn't. Only three said they would go public about the level of their cooperation with law enforcement.
The final destination of all that data scares Ponemon and other civil libertarians, defenders of the Fourth Amendment prohibition on unreasonable search and seizure. Ponemon, for one, suggests federal authorities are plugging the information into algorithms, using the complex formulas to create a picture of general-population trends that can be contrasted with the lifestyles of known terrorists. If your habits match, expect further scrutiny at the least.
"I can't reveal my source, but a federal agency involved in espionage actually did a rating system of almost every citizen in this country," Ponemon claims. "It was based on all sorts of informationpublic sources, private sources. If people are not opted in"meaning they haven't chosen to participate"one can generally assume that information was gathered through an illegal system."
After crunching those numbers through the algorithm, he says, its creators fed in the files of the 9-11 terrorists as a test. "The model showed 89.7 percent accuracy 'predicting' these people from rest of population," Ponemon reports.
Oddly enough, "one of the factors was if you were a person who frequently ordered pizza and paid with a credit card," Ponemon says, describing the buying habits of a nation of college students. "Sometimes data leads to an empirical inference when you add it to other variables. Whether this one is relevant or completely spurious remains to be seen, but those kinds of weird things happen with data."
The thirst for consumer records is bipartisan. In April, Bill Clinton told the BBC that when it comes to fighting terrorism, "more than 95 percent of the people that are in the United States at any given time are in the computers of companies that mail junk mail, and you can look for patterns there."
Katherine Albrecht, a crusader against grocery loyalty cards and invasive marketing, notes in a paper to be published in the Denver Law Review, "Virginia Congressmen Jim Moran (D-VA) and Tom Davis (R-VA) recently introduced legislation that would require all states' driver's licenses and ID cards to contain an embedded computer chip capable of accepting 'data or software written to the license or card by non-governmental devices.' " The mandatory "smart chips" would carry bank and debit card data so that citizens could use their ID cards "for a variety of commercial applications." Even library records, shopping coupons, and health records could be stored on the chips.
Adding to this vision of technological dystopia, companies are already developing cameras and other scanners that can seamlessly trace individuals as they wander through stores, going so far as to zoom in on their faces should they linger over an item, to provide retailers with ever more data.
The problem is that, as with the link between take-out pizza and terrorism, statistics don't always prove cause and effect. Mathematician Karen Kafadar of the University of Colorado at Denver explains that such a finding is "a proxy. It just happened to have something that correlated. There's actually something else going on but it's an indicator, like drinking beer and lung cancer might be. Beer doesn't cause lung cancer, but people drinking a lot of beer might also be smoking."