The Electronic Privacy Information Center is asking the FTC to take a closer look at Google’s new advertising program that attempts to tie consumers’ online actions with their later purchases in physical stores.
The complaint alleges that Google has managed to gain access to a massive and valuable trove of consumer data — credit and debit purchase records — but has not said how it came by that data, nor has it given customers a way to decline being part of the program if they so desire. The group also complains that Google is using a method to protect the data that is secret — thus unvetted by outsiders and potentially vulnerable to a breach.
“Google is seeking to extend its dominance from the online world to the real, offline world, and the FTC really needs to look at that,” said Marc Rotenberg, the organization’s executive director.
Google has responded by saying its approach to advertising is “common” and that its building out new proprietary storage technology will provide “a new, custom encryption technology that ensures users’ data remains private, secure and anonymous.”
The program under question — Store Sales Measurement — was first announced in May and billed as the first time Google would be able to directly prove that online clicks were leading to real world buys. That proof relies on Google's access to the credit and debit card records of 70 percent of U.S. consumers and a mathematical formula that anonymizes and encrypts the transaction data, and then matches said transactions to the millions of U.S. users of Google and Google-owned services such as Gmail, search, YouTube and maps.
Google does not directly deal with the credit or debit information of individuals.
But how the formula works that protects consumer data — that is a bit mysterious to anyone outside of Google.
The privacy watchdog is requesting the government not take Google’s word for it and instead review the algorithm itself. The group further notes that the mathematical technique that Store Sales Measurement is based on, CryptDB, has known security flaws. A CryptDB-protected healthcare database was hacked in 2015 and managed to exposed some 50 percent of patient records.
There is also some questions as to how Google got all those transactions records — or if they have direct permission to use that data. Google has only said that its unnamed parter has the “rights necessary” to use this data. The privacy group notes that without knowing where Google gets its data, people can't decide how to avoid data tracking if they wish not to be electronically followed.
Google notes that it never sees personal information and that its advertising partners don't either — only the aggregated, anonymous stuff. Google also notes users can opt out by going to the My Activity Page, clicking on Activity Controls, and uncheck “Web and Web Activity,” Google says.