Update: 1-Day claims that they have tweaked the feature so that customers can choose to use aliases. However, there appears to be no way to enter an alias when signing up for an account or proceeding through checkout without an account (18/11/2010).
Update 2: 1-Day support are unaware of any new alias feature. They suggest entering an initial instead of your first name. The site continues to publish live customer data (18/11/2010).
Update 3: 1-Day have now added a checkbox for "Make my purchase public" to the sale process and have included a link that explains the feature. We think that this is sufficient notification and allows people to opt out if they wish, although it would be better if the checkbox was not ticked by default (23/11/2010).
1-Day is another of the many "deal a day" sites. An extra feature on this particular site is Watch People Shop - a dynamic map of NZ with "Sharon in Lower Hutt bought a Mistral Bread Maker 5 minutes ago" overlaid.
We were a bit taken aback that 1-Day were releasing this much data about their customers. Weren't they entitled to their privacy?
We will only release account and other personal information if we believe release is appropriate to comply with law; facilitate court proceedings; enforce or apply our terms and conditions; or protect the rights, property, or safety of 1-day Limited, our users, or others.
We contacted 1-Day customer service and asked them what they had to say about this issue. Mac replied with:
I'd also like to point out that we are not revealing any full names or full addresses ..... Simply "John from Auckland just bought X product" - there is no privacy issue.
However, while this data couldn't be used to identify all of their customers, it's easily enough to identify some of them - so we decided to prove it.
We watched the map for a while, looking at the "John in Wellington bought..." and "Nicole in Auckland bought..." messages flashing by, looking for a reasonably distinctive name in a small town.
The first few we found we couldn't identify any further, but then there was that person in Otaki with the interesting name... A quick Google and we had a likely suspect, complete with email address. (Unlike 1-Day, we're not going to identify them.)
Hi there, We're looking at the data that 1-Day is publishing at http://www.1-day.co.nz/orderMap.do Did you make a purchase from 1-Day on Tuesday 16/11/2010?
A couple of hours later we got this response:
Yes I did, it was a tee shirt.
We had the customer! They'd even added in what they bought as additional confirmation it was them (the screenshot above shows the transaction). We now know their full name, email address, where they work and their phone number.
Anonymity is hard
It's well known in the privacy field that anonymising data is harder than you'd think. Statistics NZ go to great lengths to "fuzz" the data they release, particularly when it concerns small populations in small towns.
There's also the famous Netflix data experiment, where Netflix released some carefully 'sanitised' data about their customer's movie watching history and challenged people to develop a better algorithm for their recommendation system. What they didn't expect was that security researchers would compare the released data to reviews on the Internet Movie Database and successfully identify several of the subscribers.
This case was a lot easier - we only spent about 10 minutes and were able to successfully find and contact one of 1-Day's users. Contrary to what 1-Day thought, a first name and a location are enough to be able to individually identify certain people.
We don't think that publishing this data is acceptable without clear permission from the customers whose names are being released. Furthermore, such behaviour is forbidden under the Privacy Act.
Obviously we don't think 1-Day were infringing their customers' privacy deliberately - but we do think that they should stop what they're doing until it's fixed.