Will Police Turn Buying Habits Into Grocery Fingerprints?

Written by Evan Schuman
February 29th, 2008

Are we looking at a near future where consumers’ purchase profiles will be used by law enforcement to track down fugitives?

The potential is absolutely there, with retailers collecting molecular mountains of shopping history—sometimes more than a decade’s worth—and law enforcement seeking creative ways to find criminals (or people they think are criminals) who are quite determined about not being found.

Among those terabytes of tenacious consumer telemetry are not only all of a shopper’s preferences, but smartcarts and personal shopping assistants have the potential to record what a consumer thought about buying.

That’s true to the extent that you can assume that a consumer who slowed down in from of a display of Cheerios and picked up—and then put down—a box of Cheerios was probably thinking of buying those Cheerios.

But Cheerios are fairly innocuous. What if it was a butcher’s knife? More to the point, what about those patterns that databases are so good at finding? It might not be that unusual for a customer to purchase blue Dial soap or licorice-scented shave cream or alfalfa sprouts or Poland Spring distilled water. But if a suspect has repeatedly purchased those products for years, isn’t it likely he’ll continue when he’s hiding in one location long enough?

A database that could analyze a suspect’s shopping history and then ask POS systems nationwide to look for close matches is entirely practical.

Consider this scenario: John O’Hara is a professional hitman and he’s accidentally killed a high-ranking government official. Knowing that he has perhaps two days before they’ll zero in on him as a suspect, O’Hara decides to disappear. He withdraws as much cash as he can from his bank. Yes, he knows that will later indicate that he fled, but he’s assuming they’ll figure that out anyway.

He shreds all of his credit cards and identification, using some of his cash to purchase bogus identity cards. He leaves his cellphone behind and drives as far as he can, as quickly as he can. With long driving sessions, he figures, he’ll be 1,000 miles away in just a few days.

O’Hara knows enough to not ever call any of his friends and family, knowing that the telecos will be watching for his calling pattern to reemerge, with calls to the same repeated numbers. If he’s smart, he’ll stop all prior contacts.

But he’s eventually going to settle somewhere and will likely resume his supermarket shopping and dining purchases. Even if he avoids getting a loyalty card, his pattern will still likely remerge, if the POS system is watching for it. It won’t know who, but the system will know that someone made a purchase at 10:42 PM, with the telltale blue Dial soap, licorice-scented shave cream, alfalfa sprouts and Poland Spring distilled water.

If that pattern happens a few more times, an alert could be generated, the store put on surveillance, timed with when this person has been shopping.

This hasn’t happened yet, but retailers are collecting so much data that goes lightyears beyond credit card numbers, expiration dates and home addresses, that it is inevitable.

When I spent years covering law enforcement, it was rarely the big splashy investigative techniques that impressed me, but the quiet, creative ones. Such as the detective who learned everything he could about a suspect on the lam and then started checking subscriptions for hobby magazines. This was in the days before online pubs.
Sure enough, he found three niche publications that he read, which had little to do with each other. New subscriptions for those publications found the intersection and the suspect was located.

Customer profiles are all about habits and using those habits to predict behaviors. No matter I go, people will be able to find me because I love bok choy and always ask that it be added to my Chinese take-out. Some day, when I’m on the run from some homicidal PR person that I pushed too hard, that bok choy will be my undoing.

I offer this science-fiction crime drama tale to make a point. Once data is collected, it’s almost impossible to get rid of, especially if a retailer has spent millions gathering it. Not only is data more or less permanent, but it will invariably be used for 50 things that the people who collected the data never intended.

It’s good to network and share data across a chain and to use this technology to understand customers as well as possible. But to paraphrase the late British poet John Donne, "Never send to know for whom the unique identifier tolls as it tolls for thee."

Knowledge may be expensive and ignorance more so, but the societal price for knowledge used in the wrong way has a price that none of us will know until it’s paid. When that happens, Visa just won’t cut it.


2 Comments | Read Will Police Turn Buying Habits Into Grocery Fingerprints?

  1. James Loar Says:

    Putting the ethical questions aside; as in normal ERP business applications, the easy part currently is collecting data. The challenge is always on how to turn data into information that can be used to make decisions. In the article’s analysis you then have the issue of pattern recognition across several companies to consider. Also key in making the law enforcement more effective is the video/picture of the person making the ‘pattern-recognized’ transactions from the POS cameras.

  2. A Reader Says:

    Eliot Spitzer’s account was flagged because of his financial transactions that routed money through shell companies to the prostitution service. NPR claimed tonight that every transaction since September 11th is examined in context, looking for money-laundering and terrorism funding traces.


    It’s already being done.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.