US: Store Customer Cards a Source for FBI?

WASHINGTON -- So you have a secret craving for Little Debbie peanut butter bars and a penchant for Kendall-Jackson merlot?

While that customer loyalty card at the supermarket might perceivably save you a few pennies at the checkout counter, your buying habits could end up in the hands of government agents.

According to one privacy expert, at least one national grocery chain voluntarily handed over to the government records from its customer loyalty card database in the wake of the Sept. 11 terrorist attacks.

And others say customer databases -- including those culled from travel, financial and insurance industries -- are routinely shared with the government for surveillance purposes.

"I think this is exactly what the FBI wants to do and there really isn't any obstacle to them doing it anymore," charged Lee Tien, a policy analyst with the Electronic Frontier Foundation.

Thousands of supermarkets across the country have been offering loyalty cards to their customers for years. Some ask for basic information in their applications, like name, address and phone number. Others ask for more personal information, like Social Security numbers and e-mail addresses.

Each time the card is used, purchases are recorded in a massive database. In exchange, customers get discounts and special offers based on their buying preferences.

"It doesn't take a marketing genius to create an in-depth profile of someone that would be reasonably accurate just based on their purchasing history," said Donna Hoffman, a professor at Vanderbilt University and privacy expert with the campus' E-Lab.

"There has been a lot of discussion about profiling, but I think the concern over the government getting access to customer information is looming on the horizon," she added.

Larry Ponemon, CEO of the Privacy Council, said he was consulted for advice in January by an attorney for a national grocery chain, which in the wake of Sept. 11, had voluntarily delivered up its customer loyalty accounts to the federal government.

"It was not a malicious act, but it was more about feeling they had to do something to help the government look for the bad guys," said Ponemon, who could not reveal the name of the chain.

He said the attorney had since resigned from the chain and would not speak to the press. Despite his advice to the company, cardholders were never informed that their personal information had been shared with the government.

Noting that since the attacks a number of industries were persuaded to share their customer databases with law enforcement, Ponemon said he didn't know whether the practice continues.

"I think the issue is still happening, but probably more controlled than it was," he said.

Asked about such data sharing techniques, an official with the FBI simply said it would not divulge its surveillance methods.

"If we went into the discussion of whether we do or do not conduct that kind of activity, it could inform the wrong people of our surveillance techniques and jeopardize our investigations," the official said, on condition of anonymity. "So we are not going to get into that."

Right now, "data mining" companies all over the country exist to gather all of the information floating around in private databases and in the public domain to build profiles for everything from direct marketing campaigns to criminal background checks. Some of these companies count the federal government as a client.

Of course, some of this cultivation could be extremely helpful, especially when it comes to tracking down potential terrorists. Chuck Jones, a spokesman for ChoicePoint, a data maintenance service that boasts 14 billion public records in its databases and information on 220 million customers, including credit bureau documents and buyer demographics, would not confirm whether his company shares marketing databases with the government.

But, he said, such data sharing could have been helpful on Sept. 11.

Shane Ham, a senior policy analyst with the Progressive Policy Institute, said concerns over the feds wanting to seize upon customers' buying habits at the local grocery store are a bit exaggerated.

"I can't imagine what in the world the government would want with someone's grocery purchases unless they were on the trail of a specific person," he said. "They're not going to want to be flooded with information about who is going to be buying milk on what particular day. But I still recommend that consumers follow-up with what their supermarket is going to do with their information."

Jonathan Mayes, a spokesman for Safeway Inc., which operates almost 1,800 supermarkets across the country, said Safeway does not "sell or lease any personal identity information to any outside company."

He added that required by law, it is obligated to hand over information to law enforcement upon subpoenaed request, but Safeway would not give up its databases voluntarily.

Jim Harper, a privacy lawyer and head of, said Americans should be warned that many private entities may be perfectly willing to share information without a warrant.

"What it shouldn't do is cause us to scrap the (loyalty) programs," he said. "But we do need to make sure that private data is private and is not used as a resource for law enforcement."

AMP Section Name:Technology & Telecommunications
  • 116 Human Rights
  • 186 Financial Services, Insurance and Banking
  • 189 Retail & Mega-Stores
* indicates required