Tesco Does Not Know More About Me
I nearly always use cash when buying groceries, and I don't have any supermarket "loyalty" cards.
Privacy of medical data and the machinations of surveillance capitalism were under the spotlight at a Cambridge University symposium last week. Much of the day-long event, marking the 20th anniversary of think tank the Foundation for Information Policy Research (FIPR), was spent debating state-backed surveillance in its many …
Tesco would know more about me than GCHQ because they are more interested in me than GCHQ.
You have no idea how much GCHQ know, or do not know about you. Perhaps they know at least as much as Tesco as they can bulk purchase data from the same commercial sources as supermarkets do, and then add their drag-net surveillance to that. "Know" is also a very loose term, in this case it is about data pertaining to you spread across databases rather than, e.g. collated information in a written document.
"at least as much as Tesco as they can bulk purchase data from the same commercial sources as supermarkets do, and then add their drag-net surveillance to that"
Well they can order Tesco to provide everything they know, and then add everything your bank knows and then add everything your ISP knows and then add everything your doctor knows.
So I think GCHQ certainly do know more than Tesco.
But I bet they are tracking you via your phone. They will track that phone to the checkout, and then they will know what you've bought. Over time they will build up a picture of your spending habits, and even though they don't know your name, they know "you". Or am I being paranoid.
But I bet they are tracking you via your phone.
Not when it's switched of, they aren't. And mine is switched off, because that's the way I live my life, not enslaved to a device. In any case it's a PAYG with no frills whatsoever; anything more than that would serve the needs of others rather than just mine.
Anyway, as it happens cellphone coverage in our nearest Tesco is utterly shit so what's the point in it being on?
"Not when it's switched of, they aren't. And mine is switched off"
Similar situation here except that the phone's probably switched on but left at home and possibly with a flat battery. In any case it's a fairly ancient one and although it has GPS I can never get it to work properly - it probably wants a data SIM which the PAYGO isn't in order to get maps or something.
Not using a supermarket loyalty card will have serious repercussions. For starters you will not get the coupon to which you are entitled, i.e. 15p off something you were not going to buy.
I have photos of my friends' cards' barcodes on my phone and I randomly pick one when I'm in the relevant supermarket. Win-win for everyone except the supermarket.
Tescos don't know anything about me. But that's just an accident of geography: there's no tesco within range of my food shopping.
So let's substitute Sainsburys, whose superstore is just a mile up the road. They have plenty of data on me: not just the Visa card I normally use to pay, but also (shock, horror) a nectar card they use to pay for my data.
Guess what? I'm not bothered by it. I don't believe Sainsburys are going to do anything nastier to me than to stop stocking something or put a price up. They don't have the power to do anything bad. No police force, no legal system, no apparatus of the State. Dammit, not even influence over relative trivia like a credit score! And I don't begrudge them the information they gather: I think the price they pay is fair enough, and I'm just sorry the information doesn't seem to stop them all-too-often losing things I like enough to pay them for!
Now what GCHQ know about me is much less clear, and that very lack of clarity could be a concern. Their methods of collection are more indirect and therefore likely to be less reliable, which raises concerns over a potential for incorrect data. And the possibility of their data being used by agents of the State with powers to deprive me of life, liberty, or other things of real value, makes their records a whole nother kettle of fish.
 Except in December. Then they play muzak, so I go the extra mile to Lidl instead.
All those who think Tesco don't know about you, think again.
I worked for one of these data processing places a few years back and what they know is shocking and it's not limited to who visits their stores or websites.
I imagine they are even better at it now. I suggest you chuck in a subject access request, or whatever GPDR calls it now.
I nearly always use cash when buying groceries, and I don't have any supermarket "loyalty" cards.
Same. I withdraw cash on payday and use it for almost all purchases during the month that follows. Since my wife had her card skimmed a couple of times, and two attempts on my card, I decided cash is the way to go.
I also don't have loyalty cards, but that's more to do with keeping my wallet buldgw to a minimum.
"getting people off Facebook isn't a terribly good idea because not being able to volunteer a social media profile can make someone the subject of suspicion in countries such as the US"
So the correct thing to do is reinforce that behaviour? No, the correct thing is to encourage these morons to stop thinking of Facebook as something everyone should and does use.
* I do have a vested interest here as someone who has never had a FB account.
'Journalist Wendy Grossman pointed out that data downloads from Facebook ONLY include information that people have given directly.'...
So just to be clear, in the 'Facebook Download Data' option: 1. There's no Shadow-Profile info! 2. No data on Offline-Tracking of Users! 3. No clues about FB info blended with data from 3rd-party data brokers... 4. No Online or Offline FB tracking revelations regarding Non-Users! 5. Medical / Patient data?
This isn't entirely true; the data download now includes a list entitled
“Advertisers who’ve uploaded a contact list with your information. Advertisers who run ads using a contact list they’ve uploaded which includes contact info that you’ve shared with them or with one of their data partners”
The scary thing is, when I looked at this list prior to deleting my account, it included my bank.
.....“Advertisers who’ve uploaded a contact list with your information.'.....
That's a very small part of Shadow Profile scraping that has only recently been disclosed (2017 in our area). It has barely any of the true high-value user info (User 'Likes' / Real Address / Phone, Job / School info etc). However, the truly scary part is, Facebook is assembling this info anyway. How? As you hinted at, they're taking Telco CRM data and pairing it with email / phone / address as a match to every possible Facebook user account...
In my household that kind of personal info never ever existed on there - ever! Facebook didn't have it! So what's going on here? My guess: Facebook are extrapolating users who are friends / family in the general area and backing out of it, the likely 'secondary' or real email / phone / physical address used by that same user using highly-accurate Telco user databases.
Scary! We since closed our Facebook accounts. Instagram was never used. Can't escape WhatsApp. Its needed for a new job (first time registered). But its on a throw away SIM on a dedicated phone. All personal contacts are on secondary phone that only uses Signal. But its ridiculous you have to go to these lengths!
"As you hinted at, they're taking Telco CRM data and pairing it with email / phone / address as a match to every possible Facebook user account..."
That tallies with the offers of a 50% top up when I next put funds onto my PAYG phone, but only if I do that reload at a train station ticket machine.
I don't know why people keep exaggerating the importance of Facebook. For a reasonable definition of "use", only about half the UK population uses Facebook.
It's unclear how "use" should be defined. There are two big classes of not-quite-users I can think of: there are people who had an account and once used it in the intended fashion but haven't done anything with it in ages; and there are bogus accounts under a false name with no personal information attached which are perhaps used quite frequently but not in the intended fashion, not as "social media". (An example would be creating a temporary account to access a particular service or discussion group. I've done that a few times.)
"... not being able to volunteer a social media profile can make someone the subject of suspicion in countries such as the US."
It's a good job then that I have absolutely no intention of visiting the USA. Alternatively they might try the only "social media" account I have ever had and checkout Friends-reunited. Good luck with that!
Is only me who finds it really worrying and truly scaring? Or is this just how FB spin doctors are working in the dark to avoid to lose many
users guinea pigs?
"Mandatory" Facebook? It looks "the Circle" could actually be a prophetic book of Doom....
"That this is insanity is obvious. Has anyone run into problems from not having an account?"
If you're travelling to the US regularly, and you don't have an account, I'd be wary of pissing someone off who knows you or working for a company that has a less than stellar reputation. There's always the chance that someone will create a facebook profile in your name, with a smattering of details and pictures, and then link it to all sorts of anti-US or extremist sites etc.
It might be hard to convince the morons in the US that not having a social media profile is not a crime, but I bet it'd be way harder to convince them that all those twitter, facebook and linked-in connections aren't really you.
Whilst I am a facebook user, regularly, (seeded with misinformation and carefully curated to avoid brain-cell losing nonsense), I have created various other accounts on various other platforms to prevent someone hijacking my identity on them.
I find it most irritating that I have to do that, but better safe than sorry?
.....“Advertisers who’ve uploaded a contact list with your information.'.....
There is no way to UNDO this process or Delete your real address/name from Facebook. You can block Ad targeting related to Telco / Bank CRM uploads. But you cannot stop Facebook from churning the info and storing yet even more DERIVED Shadow-Profile data from it. Data that you or me will never see.
None of that is in the Download-Data option. In other words you cannot stop Zuk from having your real address, real phone, real active email. He will get it eventually from the unholy alliance of CRM database uploads, user volunteered posts & pm's, 'ugly-truth' related derived data, plus Experian data brokers etc.
You can't fake this game unless you're a Scammer using fake info when interacting with financial firms. All of this juicy data goes to credit reference agencies. Facebook said its halting 3rd Party advertisers access to Experian etc. Zuk didn't say they're going to stop trading this data themselves, because they're not.
That's why Max Schrems / NOYB is going to be so important to shining a light on these 'dark' data 'cockroach-like' practices. Zuckerberg gets to star as King-roach obviously, using the work of the Stasi as a useful instruction bible. Whatever he's got planned next should scare everybody, as he's not retiring!
And yes the bad 90's Bullock movie 'The Net' is now reality. People's real-world profile will get tangled up with someone else's faked or real digital personas. Even just transiting through US airports. So what now? Avoid US, go elsewhere. That's I do! But how long till UK/Auz et al start doing the same thing?
She argued that getting people off Facebook isn't a terribly good idea because not being able to volunteer a social media profile can make someone the subject of suspicion in countries such as the US.
This says quite a lot about the mentality of people and governments in general. FB isn't a form of ID or character reference that I'm aware of (or at least is shouldn't be). If someone regards my not having nor ever visiting FB as suspicious than who has the real problem? I'm suspecting that certain agencies have staff are getting lazy as FB is just such easy pickings. I'm still awaiting the 1984 type of "5 minute hate" sessions that are mandatory.
I recall a case a few years ago where the Home Office was aware that a large number of Poles had come into the country, but had lost track of where they were. The solution was to ask Tesco for data about volume of sales for Polish food products. Locations of stores where sales of these had gone up gave a reasonable indication of where those people had gone to.
Round here Tesco does Polish stuff but there are also several Polish shops that give far better service.
Demographics have always been collected by Tesco, as the local Jewish population got older and moved out (or up) there was an influx of Asian families and Tesco suddenly had decent rice at a decent price. For a while, though, if you wanted Scotch Bonnet chillies you'd have to go either west to Tesco Neasden or east to Tesco Tottenham.
Some years back had the dubious pleasure of sitting through a presentation by Tesco Clubcard - they were a major customer of my company, managed within my sales team. Usual account manager was on hols, so my boss went and dragged me along.
Part of the way through, chap from said evil empire asks for a volunteer clubcard number. Just the number. My boss duly obliged.
Clubcard member number entered into system right in front of everyone.
Tesco bod duly reels off the following information about her - Name. Age. Gender. Address. Usual store, and a few other completely innocuous bits.
Then details the age and gender of her two kids, age of husband, husband's probably occupation, favourite foods, usual payday, preferred brands, ABC marketing category, political persuasion, level of education, and a load of other information
He also said he could tell if she was trying for a third child (no, I don't know either), her menstrual cycle (obvious), and would then know if/when she was pregnant.
It alarmed me just how much personal information you give away from your shopping habits. The deeply troubling bit was the barely restrained glee that Tescos exhibited at having this kind of data at their disposal, to flog you even more tat from the Buy N Large empire.
Even more worrying - this was seven years ago. Can any of us honestly expect that data to have remained uncompromised in that time?
The one example I was quoted some years ago was Croissants from Waitrose = turn out target for ****
And yes that specific and yes that's a real quote from the party in question but use case was encouraging only probable supporters to vote during turn out campaigns.
Pre GDPR and some years ago.
I think this was assumptive data based on marketing category (ABC1 type), location, and god knows what else cross referenced back to your constituency.
Thus, a middle aged woman with two kids and husband living in Guildford who fills up her Audi A6 once a week is likely to a different political outlook from a young woman with one child living in Tower Hamlets is likely to be different to the retired woman living in Taunton... (For example)
Quite what Tesco needed that kind of data for is a another matter entirely...
not sure how they would get political persuasion
There must be more people like me who haven't got a political persuasion (because they're all equally crap) or do have but it changes from day to day (depending on what stupid thing Party X did yesterday.)
It could be quite handy if I were to ask Tesco what my political persuasion actually was, if I had a card.
"I'm not sure how they would get political persuasion "
Believe it or not, the products you buy can provide indicators of your probable political persuasion. Do you buy sustainable products or frozen ready meals? Cheap alcohol or expensive spirits? Certain newspapers or magazines? All of this and more can puff up that all-important profile...
Here's one of many studies on that very subject examining the purchase of GMO products and political preferences.
Most of this is guessed/inferred, not actually known. Payday? Unless they are looking at my bank account there's no way they would know that. No, I don't have a Tesco bank account but I do have their credit card, the timing of spending and billing of which is entirely unrelated to when I get paid, as is my shopping.
Occupation/husband's occupation? Not sure how my supermarket shop could give this away, unless you buy a specific magazine for that occupation (how many of those are there?)
My guess is that Tesco and the others have a lot of semi-accurate and some completely inaccurate information about people.
"My guess is that Tesco and the others have a lot of semi-accurate and some completely inaccurate information about people."
Tesco probably does what most other slurpy companies do: they combine the data they directly connect with data from other commercial sources such as credit reporting agencies, etc. This is what Big Data is all about. You shouldn't think that what a company learns directly from you is the only stuff the company knows. It isn't.
"Occupation/husband's occupation? Not sure how my supermarket shop could give this away, unless you buy a specific magazine for that occupation (how many of those are there?)"
Like JohnFen says, they buy that bit in. From somewhere like here:
According to the good Dr. Levy "We need to design systems that fail in predictable and safe ways. "
Not really a surprise, but some way of actually doing it would be nice. Computer systems with literally millions of lines of code running on processors with literally millions of transistors are virtually impossible to analyse in detail to see how they will fail (and 'prove' in some way that they will fail safely and gracefully).
I wonder whether he'll be telling us all how he thinks it can be done in the next few years.
Re: Tesco - they only know that I do not shop with them, unless they've hacked into the Sainsbury's Nectar Points system, in which case I am undone!
I made the same point about the Tesco's hold on your personal data in my "Datastophe" blog back in 2007. But I also made the point that it is nowhere near as sensitive (or valuable) as the Data (then, recently) "mislaid" by the HMRC (see same blog)
I didn't make the point then which I do nowadays. Governments are - universally - the biggest bullies in the playground. The only reason we need to tolerate them at all is that, when they work remotely like they're supposed to, they help protect us from the other, lesser, bullies.
But increasingly, they are a) hoovering up increasing volumes of our personal data, either illegally, or only legally after a hasty adjustment to their laws and b) increasing abusing that data against the citizenry either to suppress dissidence or to exert social control.
The excess hoovering now routinely includes their self appointed "right" to demand our private data from the likes of Tescos (or ISPs, or Banks etc etc) and THAT is the principle reason we should now object to "corporate surveillance"; the mandatory right of the State to add it to their own ballooning collection.
Ultimately, of course the only credible protection against State abuse is going to be solving the problem of Accountability Theatre. I'm hopeful that may be closer than you might think...
"the only credible protection against State abuse"
is democracy and transparency.
The UK government has a modicum of both and is broadly improving over time.
Frankly I'd rather see my data in their hands than in those of the dot-coms. Just how much democracy and transparency do those dirty little moneygrubbers aspire to?
"Frankly I'd rather see my data in their hands than in those of the dot-coms. Just how much democracy and transparency do those dirty little moneygrubbers aspire to?"
But the point has been made several times that the dot-coms don't have the power nor the ulterior motives of governments in this regard. They just want your money, as has always been the case, even Arkwright's corner store knew plenty about his customers and their habits, but again, only to sell them stuff.
"But the point has been made several times that the dot-coms don't have the power nor the ulterior motives of governments in this regard."
"It has, but I find that point to be entirely unpersuasive."
Have a look at what debt collectors in connection with Telcos and ISPs are up to.
They are deliberately manufacturing debt and then using analytics to identify low spots in your life when you are likely to cough up.
Yeah, and any bank account info, like every time you use your cash card to withdraw cash from the hole in the wall outside Tesco's! So now they know when you go to Tesco they can check the CCTV to watch you and monitor the till to see what you buy. You should get a ClubCard to make life easier for them, they'll appreciate it when they're giving you the rubber glove treatment, an extra squirt of KY can make all the difference!
Of course law enforcement and GCHQ can obtain all your Tesco card data, and share it with the US.
If you have been buying backpacks, pressure cookers, and burner phones recently that trip to Disneyland might not be as much fun as you hoped...
You have purchased so many cans of beans recently you are obviously a terrorist planning a methane explosion...
Oddly enough this was being discussed yesterday. I can't find links other than the s*n so here's some outfit I've never heard of:
Sajid confirming Mi5 et al will be alerted to "suspicious purchases, like vans".
Vans. Suspicious purchases. Almost like they don't live in the real world, isn't it?
Good luck to all those tradespeople who need both a van *and* some sort of hazardous chemical! It's watchlist time.
And the difference is?
I know corporate land has been giddy with data slurping and analysis for years now, with a rather careless attitude to privacy and security, but have they really not yet woken up to the fact that any bad consequences for their customers constitute a real and serious threat to their own existence? It'll be the Facebook-only-worse scandals that will harm them, far more than regulation such as GDPR. They are going to have to be the ones that will have to decide to clean up the masses of toxic data before they get poisoned by it, but they won't until either they or a competitor are the first to croak because of it.
"If TESCO knows, then NSA knows and by proxy GCHQ knows also"
and so too will other agencies such as the Welsh Ambulance Service, Scottish Food Safety Agency, Morpeth Otter Preservation League, etc thanks to the Investigatory Powers Act too
Hopefully Tesco will see I have stopped buying tractor juice and will drop the price to the same as Sainsburys.
With Tesco and Nectar.
If I do not want them to know what I buy I don't use it.
I suppose it may be embarrasing for ready meal buyers, or caged egg buyers, or people who buy really rubbish lager (I mean US not the cheap French stuff). But I buy non embarrassing things so don't care.
But I get decent discounts and once had £90 off Nectar from a huge Ebuyer purchase.
Just think, how can MJI buys beef mince off the butchers counter be used for anything but special offers for more beef mince off butchers counter?
A few years back I moved house and neglected to tell Tesco since I rarely shopped there.
About 6 months afterwards I used my clubcard in a store near my new place for the first time and all of a sudden I started to get my Clubcard statements to my new address. I hadn't left a forwarding address with my old place, or set up any fancy redirects with the Post Office...
there was probably a perfectly reasonable explanation but it was a bit freaky.
Ah yes, it was only last year that Tesco send one of their drones armed with Hellfire missiles to attack the house of David Parker who had betrayed his loyalty card and shopped at the Waitrose instead.
And who can forget all those times the Tesco SWAT teams have smashed in the doors of people's houses at 3:00am to conduct a search for non-Tesco branded marmalade?
When GCHQ screws up it means 'collateral damage', full-body cavity searches and/or ineptly run police raids. Tesco's screw ups mean that maybe the wrong products are placed by the checkout. You are forced by law to contribute to the costs of running GCHQ. You can chose whether to shop at Tesco's or elsewhere without any consequence whatsoever.
One of these is not in any way equivalent to the other.
<quote>She argued that getting people off Facebook isn't a terribly good idea because not being able to volunteer a social media profile can make someone the subject of suspicion in countries such as the US.</quote>
Seeing that most people do not have a Facebook account, I find the idea of not being able to volunteer a social media profile can make someone the subject of suspicion in countries such as the US to be utter garbage.
Most people you know don't have facebook.
That's not representative of the population. *Most* people have facebook.
It's not utter garbage, TSA can and do demand your social media info to check your profiles/posts. Telling them you don't have any, immediately makes you more suspect, not less so.
On a rack of identically packaged nuts, all the same "organic" brown colour. One pack is £1.99 or, according to the sign, "Any two for £3". But when you get to the checkout and get charged £3.98 you discover that "Any two" actually means "Any two of the same sort of nut."
Fecking scammers! Avoid Tesco if at all possible.
P.S. Also identical SD cards priced at £18 in Tesco are available for £12 elsewhere
"[...] because not being able to volunteer a social media profile can make someone the subject of suspicion in countries such as the US."
"This makes leaving Facebook problematic for mainstream consumers."
I see, thank you for your valuable insight Ms Grossman.
In other news, I told the doctor my left foot hurts when I stand up. He told me not to stand up.
Tesco are a huge conglomerate, They have operations in much of the world, and investments in many
Theses are some of the brands you may know:
Day & Nite
outside of this they have fingures in many pies and access to insurance, finance and telcoms data, they have holdings in fuel and ventures with Esso. at one point in the 1990s 48p in every £1 spent on the UK Highstreet was spent at TESCO, they still hold 27% of the UK Grocery Market giving them an effective monopoly
FYI(Sainsbury and ASDA have approximatley 16% each and Morrisons has 10%, ALDI, Co-Op, Waitrose and lidl all have about 5%)
..."Tesco probably knows more about me than GCHQ," as one delegate put it....
Then perhaps we should convert the Doughnut into a hyper-store for Cheltenham, and have highly cleared Tesco employees intercepting and breaking North Korean codes...?
As an aside, people might wish to note that SIS (US equivalent - CIA) looks after human spying on other countries, while GCHQ (US equivalent - NSA) looks after the interception and decipherment of telecommunications.
The Security Service (who don't like to be known by their initials) are meant to address other countries attempts to run their equivalent of the SIS. But since the Cold War finished, they have decided to pretend that anyone unhappy with the government MUST be in the pay of the Russians, or some other Axis of Evil place.... Much like the AVH, the Stasi, the KGB, the NKVD....
But Ian Levy, technical director of the National Cyber Security centre, the defensive arm of GCHQ, argued that there have been hundreds of SMB vulnerabilities and hacks over the years, and the Eternal Blue exploit abused by WannaCry was just another.
What a lame bit of fallacious rhetorical logic.The issue with ETERNALBLUE wasn't the vuln it exploited, it was that it was a nicely weaponised reliable exploit for multiple target OS versions.I roll my eyes a bit at the knee-jerk "Western military-surveillance state leaks cyber-weapon that destroys the world" hype from the usual sort of suspects, but there IS a scandal there. It's not that TAO exists, or have exploits and frameworks and whatnot, it's that they got socialed. (And possibly externally hacked as well, IDK)
Biting the hand that feeds IT © 1998–2019