The Washington PostDemocracy Dies in Darkness

Google now knows when its users go to the store and buy stuff

May 23, 2017 at 8:00 p.m. EDT

"While we developed the concept for this product years ago, it required years of effort to develop a solution that could meet our stringent user privacy requirements," Google said in a statement. "To accomplish this, we developed a new, custom encryption technology that ensures users' data remains private, secure, and anonymous."

The announcement comes as Google attempts to weather an outcry from advertisers over how their ad dollars are spent. Google is working to move past an advertising boycott of YouTube, its lucrative video site, after news reports that ads for mainstream brands were appearing alongside extremist content, including sites featuring hate speech and violence.

Google for years has been mining location data from Google Maps in an effort to prove that knowledge of people’s physical locations could “close the loop” between physical and digital worlds. Users can block this by adjusting the settings on smartphones, but few do so, say privacy experts.

This location tracking ability has allowed Google to send reports to retailers telling them, for example, whether people who saw an ad for a lawn mower later visited or passed by a Home Depot. The location-tracking program has grown since it was first launched with only a handful of retailers. Home Depot, Express, Nissan, and Sephora have participated.

“Google — and also Facebook — believe that in order to get digital dollars from advertisers who are still primarily spending on TV, they need to prove that digital works,” said Amit Jain, chief executive of Bridg, a digital advertising start-up that matches online to offline behavior. “These companies have to invest in finding the identity of the consumer at the moment when that shopper is at the cash register.”

Tuesday’s announcement gives Google a clearer way to understand purchases than just location and allows them to understand purchase activity even when consumers deactivate location tracking on their smartphones.

Google executives say they are using complex, patent-pending mathematical formulas to protect the privacy of consumers when they match a Google user with a shopper who makes a purchase in a brick-and-mortar store.

The mathematical formulas convert people’s names and other purchase information, including the time stamp, location, and the amount of the purchase, into anonymous strings of numbers. The formulas make it impossible for Google to know the identity of the real-world shoppers, and for the retailers to know the identities of Google’s users, said company executives, who called the process “double-blind” encryption.

The companies know only that a certain number of matches have been made. In addition, Google does not know what products people bought.

“Through a mathematical property we can do double-blind matching between their data and our data,” said Jerry Dischler, vice president of product management for AdWords, Google's online advertising service, in an interview. “Neither gets to the see the encrypted data that the other side brings.”

The tech giant declined to describe its mathematical formulas in anything more than broad terms, citing a pending patent. Dischler said the work was based on a 2011 research paper by three MIT scientists, which was funded by Google and Citigroup.

Dischler described the modeling as a “revolutionary” step forward for both Google and advertisers. He added that users who signed into Google’s services had consented to Google sharing their data with third parties.

But the company would not say how merchants had obtained consent from consumers to pass along their credit-card information. Google said it requires its partners to use only personal data that they have the “rights” to use, but it would not say whether that meant the consumers had consented.

In the past, both Google and Facebook have obtained purchase data for a more limited set of consumers who participate in store loyalty programs. Those consumers are more heavily tracked by retailers, and often give consent to share their data with third parties as a condition of signing up.

Tuesday’s initiative enables Google to use transaction data from a much wider swath of consumers than ever before, but the lack of detail on how personal data was being handled caused concern for privacy advocates.

Paul Stephens, of Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego, said only a few pieces of data can allow a marketer to identify an individual, and he expressed skepticism that Google’s system for guarding the identities of users will stand up to the efforts of hackers, who in the past have successfully stripped away privacy protections created by other companies after data breaches.

“What we have learned is that it’s extremely difficult to anonymize data,” he said. “If you care about your privacy, you definitely need to be concerned.”

Such data providers have been the targets of cybercriminals in the past. In 2015, a hack of data broker Experian exposed the personal information of 15 million people.

Timberg reported from Washington.