jump to navigation

With Privacy the Sum May Be Greater than the Parts February 17, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,

Information Security can be described as the protection of data while privacy is defined as the appropriate use of data.  Volumes of data is collected on all of us every day.  Some of the data we voluntarily provide in exchange for additional benefits and services (airline mile programs, loyalty shopper programs, for example).  Other data we unknowingly provide such as shopping history. Regardless, we expect the custodians of the data to use it appropriately and maintain privacy.  Unfortunately, sometimes company’s pursuit of profits causes them to walk a very fine line as far as privacy is concerned.  The following is an example of where a company arguably violated the tenets of privacy while possibly not violating any laws.

According to a story reported recently, Target figured out a teenage girl was pregnant from her shopping history and inadvertently told her family.  The end result is that 1) Target knew (statistically they are right 90% of the time), and 2) Target, by sending pregnancy related coupons to the girl, informed her family that she was pregnant, without her knowledge or consent.  Here is how it happened.

Target has a business intelligence program that attaches a Guest ID to every person that shops in their store.  They attach it to name, email address, and other information.  A statistician named Andrew then mined the data and began to see patterns emerging that indicated a woman may be pregnant.  It turned out he was right and with some tweaking the program was very accurate.  In fact, it was accurate 90% of the time and could even tell what trimester the woman was in and estimate when the baby was due.  Target collected this information on a customer (teenage girl) and began sending her coupons for pregnancy related items.  Her father, upon receiving the coupons contacted his local Target store and raised the issue.  Unfortunately, upon speaking with his teenage daughter it was apparently divulged that she was pregnant.

While this story makes Target an easy target (pun intended), they are not the only company that uses aggregate data to profile clients.  While this particular case was able to profile a person that was pregnant, it is not a stretch to see Target or any other merchant using such technology to profile by sexual orientation, race, gender, age, or even disability in an attempt to send targeted coupons. As stated in the article:

“As [his] computers crawled through the data, he was able to identify about 25 products that, when analyzed together, allowed him to assign each shopper a “pregnancy prediction” score. More important, he could also estimate her due date to within a small window, so Target could send coupons timed to very specific stages of her pregnancy.”

This is an unfortunate case of where privacy law has not kept pace with technology.  While it may technically be legal many would question whether it is appropriate use of information.


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: