WASHINGTON — Not long before headlines exposed National Security Agency (NSA) programs that secretly collect records of Americans’ phone calls, reports of another surveillance system got far less attention: Nordstrom said it was tracking customers in 17 of its stores.
The Seattle-based retailer had hired a company to log a unique number emitted by shoppers’ smartphones, which automatically connected to Wi-Fi systems as they moved through the stores. A day after a Dallas TV station broke the story in May, Nordstrom announced it was discontinuing the program.
The Palo Alto, Calif., company that sold the tracking service, Euclid Analytics, has tracked 50 million devices in 4,000 locations for 100 corporate and other customers, its founder has said. Shoppers are free to opt out, but the process is complex. They must enter their phone’s media access control address, known as a MAC address, on Euclid’s website.
Edward Snowden’s disclosures about domestic spying by the NSA have sparked a debate about whether the government is using sophisticated surveillance and data-mining techniques on citizens without enough oversight.
Most Read Business Stories
- 55,000 in Washington state may have to pay back thousands in jobless benefits
- 1 house, 45 offers: Homebuyers in Western Washington hard-pressed as supply remains scarce
- Boeing CEO gave up millions in pay; here's what he and other top execs earned
- Amazon's telehealth arm quietly expands to 21 more states
- Inflation isn't the big risk, with economy's recovery still uncertain
But information gathered and exploited by Internet giants such as Google, Amazon and Facebook — and traded by lesser-known data brokers such as Datalogix and Acxiom — can be more revealing than what the NSA can legally collect on most Americans. Few consumers understand what data are being shared, with whom, or how the information is being used.
“We normally think of the NSA as being far ahead of corporate America, but I’m not so sure they are that far ahead anymore,” said Mark Herschberg, chief technology officer at Madison Logic, which provides data for advertisers.
“There are thousands of companies out there collecting information on customers, and together they are really aggregating quite a bit of data,” he added. “Google is reading through your email. Amazon is looking at not just what you buy, but what you shop for.”
The collection and analysis of consumer information in bulk is enabled by what has been dubbed the “Big Data” revolution — the combination of digitization, cheap storage, robust computing power and sophisticated analytics that allows experts to find correlations in ever-expanding pools of data.
In many ways, Big Data has been a boon for consumers, allowing companies to tailor products and services.
Big Data also has the potential, advocates say, to improve medical outcomes, streamline government services and reduce crime.
The Los Angeles Police Department is analyzing data to isolate hot spots in its “predictive policing” program, for example, steering officers to where crimes are expected to happen.
The downside may be just as dramatic, however.
Most Americans emit a stream of personal digital exhaust — what they search for, what they buy, whom they communicate with, where they are — that is captured and exploited in a largely unregulated fashion. The information can be used by identity thieves, insurance companies, prospective employers or opponents in a civil lawsuit.
“How do I express my privacy requirements? Increasingly, it means I have shut off my phone and become a digital hermit,” said Ian Glazer, a vice president at Gartner, an information technology research and advisory company.
In addition to privacy threats, he said, “there is a fundamental problem with fairness, in the sense that I am generating all this data about me through my devices, and these organizations are harvesting it and making a profit off it.”
Google says it uses algorithms, not humans, to mine the content of Gmail messages. Thus if someone sends a digital note about a trip, the computer may generate an ad for an airline or hotel.
Amazon and other companies track online shoppers and display ads for items their customers perused as they browse other websites. Target was able to use purchasing patterns to figure out when women were pregnant and target ads accordingly.
Smartphones double as tracking devices, sending periodic signals that disclose their locations.
Though the NSA says it does not collect that information about Americans, numerous popular applications, including Angry Birds and Yelp, do so for their developers, using precise coordinates from cell towers and GPS systems. Some sell the data to third parties.
Mobile carriers, including Verizon Wireless, have begun selling aggregate location data. Verizon, on its website, promises advertisers “detailed demographics; location analysis to determine where your target consumer segment lives and works; and foot-and-mobile traffic habits,” though not names or phone numbers.
“These companies have been practicing what I call privacy arbitrage for the last 10 years or so, mining all of our personal information,” said a former U.S. intelligence official who now works for a data company. He asked for anonymity so he could be more candid.
“I don’t know to what degree the common person understands how much data is being collected about them by these Silicon Valley companies that are saving the world,” he said.
Silicon Valley executives say they use personal information only to sell advertising and improve the customer experience. Much of the data they store are anonymous, they say.
But in a study published in February in the journal Scientific Reports, researchers were able to sort through location data on 1.5 million people and uniquely identify 95 percent based on four hours of tracking.
The big social-networking and shopping sites do in fact store names, email addresses, credit-card information, shopping and browsing histories.
Even if the NSA, Google and Verizon have strong incentives not to abuse the data they collect, they can’t always control it. Google in 2010 disclosed it had fired a systems engineer after allegations that he had improperly accessed the email and chat content of four teenage customers.
Officials at Euclid, the company that helped Nordstrom track its customers, declined to comment. But in a March letter to Sen. Al Franken, D-Minn., founder Will Smith said Euclid did not obtain the names or phone numbers of customers and didn’t share or sell its data with others.
Nordstrom said its use of Euclid in some stores was a test, and its termination shortly after the Dallas story broke was merely coincidental. Local TV stations in Portland and Denver had aired similar stories earlier in the year, said Nordstrom spokeswoman Tara Darrow.
“Using this type of technology is one way that we can learn about our customers’ foot traffic and find additional opportunities to improve the service we offer them,” she said in a statement. “Through the Euclid pilot, we got some great feedback from our customers.”
Most consumers “probably don’t understand what data is being collected,” said Evan Reiser, chief executive of the San Francisco firm AdStack, which uses millions of detailed anonymous consumer profiles to customize targeted email ads.
“A lot of companies could do a much better job explaining that.”
Seattle Times business reporter Amy Martinez contributed
to this story.