Google asked to explain how it tracks what you buy in stores

Privacy experts want to know how Google uses credit card data to figure out whether you buy the stuff you search for when you go to stores.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
3 min read

Privacy advocates question whether Google is really protecting consumer data when it tracks what people buy in physical stores.

Screenshot by Claudia Cruz/CNET

Privacy advocates aren't satisfied with Google's assurances that it's protecting consumer privacy when it tracks the success of online ad campaigns into ringing up sales in physical stores.

On Monday, the advocacy group Electronic Privacy Information Center filed a formal complaint with the US Federal Trade Commission that asks the agency to begin an investigation into Google's "in-store tracking algorithm." The algorithm lets the search giant tell advertisers how well their marketing campaigns are working in offline sales.

The Store Sales Management program, which Google began testing in May, allows it to tell an advertiser how many people who clicked on an ad actually bought something. For example, it could tell Home Depot or Walmart what percentage of people who clicked on an ad for grills went to a store to buy one. The company gets credit card and other financial information from data brokers and marries it with its own online tracking software.

Giving marketers insight into how their online ads translate into physical store sales is difficult to do. Privacy advocates, like EPIC, worry information gleaned from these databases could reveal more about people's private lives than they realize. That information could include medical conditions, religious and political affiliations, and other personal details. They want to make sure the data is protected because of Google's advertising and consumer reach, 

Google says all the data it collects is anonymized, so it never sees individual transaction data. The company says it matches transactions with Google ads in a "secure and privacy-safe way." Google hasn't said how it's doing this. 

EPIC says it doesn't take Google on its word alone. It wants the company to explain what data on credit and debit card purchases it's accessing, how it's getting the information and what encryption it's using to ensure user data remains anonymous.

"Here we have the largest company on the internet which has access to millions of people's browsing histories and 70 percent of credit card records and they're linking these things together and saying, 'Don't worry about this, we've got it covered,'" said Marc Rotenberg, executive director of EPIC. "We think it's reasonable to be concerned. And we'd like the FTC to do an independent investigation into how this data is de-identified."

In its complaint, EPIC alleges Google is using a type of "double-blind" encryption known as CryptDB, which was developed by MIT researchers in 2011 with partial funding from Google. It argues this technology isn't entirely secure. 

A Google spokeswoman said the company isn't using this encryption technology, but declined to give further information on how Google's system works.

"Our researchers spent years working on a privacy-preserving methodology to measure the impact of advertisements on store sales," the spokeswoman said in an email. "Our research will show that we are using cryptographic techniques in new ways and at scale."

She said the company is planning to share this research in the coming months. 

It's a fair criticism that Google hasn't been forthcoming about the technology it's developed, said Joe Lorenzo Hall, chief technologist at the Center for Democracy and Technology, a Washington, DC-based digital advocacy group that gets a large amount of funding from Google. In the past, Google has shared this kind of research and source code with the public. Google's openness is important because without it there is no guarantee that its methods are secure, Hall said.

"It's important that all cryptography be publicly described," he said. "It's the only way to know if we really understand the flaws."

EPIC has also criticized Google for not providing any way for consumers to opt out of the tracking. Google says that isn't accurate and points consumers to its My Activity Page. Consumers can opt out by clicking on "Activity Controls" and unchecking "Web and Web Activity."

"We only use data that they've consented to have associated with their Web and App activity in their Google account, which users can opt-out of at any time," the Google spokeswoman said. "We are committed to constantly innovating and continuing to provide transparency to users on what data we collect and how we use it."

The FTC confirmed it has received EPIC's complaint but declined to comment further. 

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Batteries Not Included: The CNET team reminds us why tech is cool.