Tech Liberty NZ Defending civil liberties in the digital age

1-Day finds that anonymity is hard

Posted on November 16, 2010

Update: 1-Day claims that they have tweaked the feature so that customers can choose to use aliases. However, there appears to be no way to enter an alias when signing up for an account or proceeding through checkout without an account (18/11/2010).

Update 2: 1-Day support are unaware of any new alias feature. They suggest entering an initial instead of your first name. The site continues to publish live customer data (18/11/2010).


Update 3: 1-Day have now added a checkbox for "Make my purchase public" to the sale process and have included a link that explains the feature. We think that this is sufficient notification and allows people to opt out if they wish, although it would be better if the checkbox was not ticked by default (23/11/2010).

1-Day is another of the many "deal a day" sites. An extra feature on this particular site is Watch People Shop - a dynamic map of NZ with "Sharon in Lower Hutt bought a Mistral Bread Maker 5 minutes ago" overlaid.

Google Map showing 1-Day customer purchases

We were a bit taken aback that 1-Day were releasing this much data about their customers. Weren't they entitled to their privacy?

The 1-Day privacy policy definitely didn't say that they would release customer information in this way:

We will only release account and other personal information if we believe release is appropriate to comply with law; facilitate court proceedings; enforce or apply our terms and conditions; or protect the rights, property, or safety of 1-day Limited, our users, or others.

We contacted 1-Day customer service and asked them what they had to say about this issue. Mac replied with:

I'd also like to point out that we are not revealing any full names or full addresses ..... Simply "John from Auckland just bought X product" - there is no privacy issue.

However, while this data couldn't be used to identify all of their customers, it's easily enough to identify some of them - so we decided to prove it.

We watched the map for a while, looking at the "John in Wellington bought..." and "Nicole in Auckland bought..." messages flashing by, looking for a reasonably distinctive name in a small town.

The first few we found we couldn't identify any further, but then there was that person in Otaki with the interesting name... A quick Google and we had a likely suspect, complete with email address. (Unlike 1-Day, we're not going to identify them.)

Hi there, We're looking at the data that 1-Day is publishing at http://www.1-day.co.nz/orderMap.do Did you make a purchase from 1-Day on Tuesday 16/11/2010?

A couple of hours later we got this response:

Yes I did, it was a tee shirt.

We had the customer! They'd even added in what they bought as additional confirmation it was them (the screenshot above shows the transaction). We now know their full name, email address, where they work and their phone number.

Anonymity is hard

It's well known in the privacy field that anonymising data is harder than you'd think. Statistics NZ go to great lengths to "fuzz" the data they release, particularly when it concerns small populations in small towns.

There's also the famous Netflix data experiment, where Netflix released some carefully 'sanitised' data about their customer's movie watching history and challenged people to develop a better algorithm for their recommendation system. What they didn't expect was that security researchers would compare the released data to reviews on the Internet Movie Database and successfully identify several of the subscribers.

This case was a lot easier - we only spent about 10 minutes and were able to successfully find and contact one of 1-Day's users. Contrary to what 1-Day thought, a first name and a location are enough to be able to individually identify certain people.

Conclusion

We don't think that publishing this data is acceptable without clear permission from the customers whose names are being released. Furthermore, such behaviour is forbidden under the Privacy Act.

Obviously we don't think 1-Day were infringing their customers' privacy deliberately - but we do think that they should stop what they're doing until it's fixed.

Posted by Thomas Beagle

Comments (10) Trackbacks (0)
  1. Nice article mate – I tend to agree, that while the map tool is pretty cool you make a good point, that data is kind of breaching privacy.

    It is good as it gives me food for thought on some of my own data geo-targeting stuff.

  2. I visited that site for all of half a minute, and a handful of fairly distinctive-sounding names from small towns showed up just like that. That looks like a very serious breach of our privacy.

    I won’t be buying _anything_ from 1-Day until they can prove to the public that they know how to treat their customers’ private information both ethically and legally.

  3. On the plus side, i know my friend Nicola who lives in a smaller area of NZ bought some chocolate today – i plan to pay her a visit!

  4. I work for a Location Based Services company and am totally into location, but privacy is important. At the very least, if I bought something for my kids as a surprise on 1-Day and they do this, the secret would be out instantly with my name and location. This is an invasion of privacy, unless they ask for permission first.

  5. Privacy isn’t the only issue here, there are serious security considerations.
    If someone can get your name and town, they can probably get your street address and phone number from the white pages. This information, plus the information on what you bought and when, provides a lot of ammunition for someone trying to scam via social engineering. Imagine if someone called you on the phone, and they knew what you bought, when you bought it, and the address it was being shipped to. You might be smart enough to question their enquiry, but a lot of people wouldn’t be.

  6. I think it is hard for many people to see how invasions of privacy at this level can be used against them.

    Reading Chris’s comment above made me change my view from ” Well, it’s a bit off but probably not too terrible” to “this really is a problem”.

    I can really see a situation where a person could be rang up with all the above information, informed that their credit card wasn’t accepted and asked to confirm the number. How many people would question that if they had all your details including what you purchased and when?

  7. I dug around the code a little bit, it seems their feed of orders includes an order number as well as latitude/longitude coordinates. It’s remotely possible those coordinates identify the actual street address of the customer, but I can’t confirm that. I did see two “Wellington CBD” orders with different addresses come through.

    • I wonder if with a person’s name, address (found as above, via finding a unique name in small town and googling for their details) along with date/time of order + order number would be enough to call 1-day and intercept someones order and get it sent elsewhere.

  8. cool of you to redact that. some other blog did not. you doing that fits with the point you are making.


Trackbacks are disabled.