California Book Legislation Doesn’t Understand How Retailers Work

Written by Mark Rasch
July 27th, 2011

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

If you’re selling books in California, you may soon have to handle all customer data very differently. If a piece of legislation now winding its way through the California legislature becomes a law, new restrictions on your record-keeping and file maintenance will extend far beyond the sales of actual books.

The legislation, which has more holes than a chunk of Swiss cheese, would place these burdens on retailers while ignoring a lengthy list of other people in the retail environment who have access to the identical data. The key problem: The writers of the legislation didn’t think much about how retailers do their magic.

For example, the statute would make it illegal for a book retailer—and presumably any employee of that retailer—to disclose information about book (and, for that matter, all types of) purchases to police. But it places no restrictions on the volumes of other people who have access to the identical data, including card processors, card brands and possibly POS vendors. What about the employees of the security firm that handles the security cameras and other customers? Both are groups who might see or overhear the information. What if a third-party firm handles the loyalty/CRM system? If the transaction is handled by the customer’s mobile device, that brings in an entirely different set of people who might know about a purchase.

If a receipt for a book is E-mailed to the consumer (or sent by SMS or other means), the ISP and E-mail provider could be forced to give the cops that information (which confirms the name of the book). If books are read online or through, say, the Kindle app for a computer or iPhone, although Amazon might not have to turn over the records (as a provider), Apple, AT&T, Verizon or another ISP would enjoy no such legal restriction/protection.

It would be like saying that Barnes and Noble couldn’t turn over records of what customers bought, but the chain’s security company could be forced to turn over the high-def security tapes of customers—book in hand—at the cash register. Although the videotape would be “personal information” under the statute, because it would include “information that relates to, or is capable of being associated with, a particular user’s access to or use of a book service or a book, in whole or in partial form,” the security company would not be a provider of a book service and, therefore, would not be covered by this law.

If the government really wants to know what someone is reading without a court order, it could subpoena family members, other customers or even members of a book club—indeed anyone who is not a provider—to try and find out.

Many years ago, I helped represent a local Washington, D.C., bookstore that received a subpoena from a special prosecutor demanding the production of cash-register receipts for book purchases by a particular former White House intern named Monica Lewinsky. After reaching a deal with prosecutors, Lewinsky herself agreed to provide these records. But the case raised both First Amendment and general privacy concerns that have recently been addressed by the State of California in its proposed “Reader’s Privacy Act,” for which public hearings are scheduled for August 17.

If enacted and signed, the bill would prohibit anyone who provides a book service with the primary purpose of selling or lending books from disclosing customer personal information (including IP address) without a valid court order supported by probable cause unless there is some imminent danger of death or serious injury.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.