Is Target Corporation targeting your personal data ? Will a data breach make you a victim of identity theft ? (image linked from angrywhiteboy.org)
You might have found this article after asking…
Why did Target scan my drivers license, or
Why did Target swipe my drivers license, or
Is Target collecting personal information from my drivers license, or
What is the Target stores ID policy, and what if I refuse to give them my drivers license, or
Did a jury award South Carolina Target shopper Rita Cantrell $3.1 million in a libel case, after she was wrongly accused of trying to pass a counterfeit $100 bill at Target ?
Maybe Eric Arthur Blair was right (you’ll probably know who he was, even if you don’t recognize his name).
We very rarely shop at Target, but happened to find ourselves in a Target store recently. While our order was being scanned at the register, even before we decided how we would pay, the cashier asked for our drivers license. When asked why they needed to see our drivers license, they told us that it was because we were buying a package of over-the-counter cold medicine. Since we are closer to retirement age than we are to the age of majority, we can’t remember the last time a clerk or cashier “proofed” us. But since we want to do our part to make sure that no minors can get relief from their cold or flu symptoms, we graciously handed the cashier our license. We quickly regretted complying with their request, when, to our horror, the cashier scanned the barcode on our license with their barcode reader, before we realized what they were doing, and before we had a chance to stop them. It is worth noting that the last time I checked, this was still America, and there was absolutely no legal requirement for a retailer to scan or swipe your drivers license, or any other form of ID when purchasing medications, alcoholic beverages, etc. Target appears to have adopted this misguided policy to protect themselves, and to possibly make their job easier (but at your expense). What’s next ? Scanning a barcode tattooed on your forehead by the State, or scanning you for the mandatory RFID chip implanted under your skin at birth ?
It seems to us that Target might be capturing at least some the information embedded in the barcode of your drivers license. If not, then simply having the cashier confirm the date of birth printed on the license would suffice, and scanning the license would serve no purpose. This makes us wonder what they might be doing with the data. How long are they retaining the data ? Do they sell the data, or use it for marketing purposes ? Will they provide the data to the government, either voluntarily or in response to a subpoena or a National Security Letter ?
As (now very wealthy) South Carolina Target shopper Rita Cantrell can attest, Target can’t distinguish real currency from counterfeit. Likewise, we have little confidence that their employees, POS scanners or computer systems would be able to tell a fake drivers license barcode from the real thing.
Are you wondering what information Target (and other retailers) can capture from your drivers license barcode, in this post-9/11, “Homeland Security” driven world ? The American Association of Motor Vehicle Administrators (aamva.org) publishes the standards that the individual states follow when designing their drivers licenses. This AAMVA document (in .PDF format) lists 22 mandatory and 23 optional data elements that are encoded into the PDF417 barcode that is used on U.S. drivers licenses. Did you know that items such as a driver’s race/ethnic group and social security number can be embedded in the barcode ? The individual states are free to add additional data elements that are not included in the AAMVA standard.
We suspect that Target would be happy to sell cold medicine to this fellow, as long as he allows them to scan his drivers license.
Even if Target Stores does not have any ulterior motives, the fact that they are able to capture any or all of the data embedded in your drivers license barcode exposes their customers to the threat of identity theft. The fact that their name is Target doesn’t help the situation either, if you catch our drift. I mean, just look at their stores… they put a big red bulls eye right on the front of every store ! If that isn’t taunting all the hackers out there, I don’t know what is. Maybe we would be less concerned if their name was “Fortress” or something along those lines, and their logo was a bank vault, rather than a bulls eye. Even their cute mascot, Bullseye, looks like he would rather lick you to death than defend the company’s customer data. Retailers, credit card companies, banks and other businesses are constantly making headlines because their networks are hacked into, their data stolen, and their customers or employees personal and financial information compromised. Sometimes it’s a hacker breaking into a computer network. Sometimes, it’s a rogue employee inside a company or at a vendor that has access to a company’s systems. Sometimes, it’s a laptop computer containing sensitive information that is lost or stolen. Sometimes, backup tapes are lost in transit to an off-site storage location. There are many ways that customer data can be put at risk of theft.
Now we’re wondering if we will pick up the newspaper one day, and see the headline “Target Stores Targeted By Hackers, Personal Info From 50 Million Customers Stolen”. Think it can’t happen ? Think Again. It has happened to other large retailers, banks and credit card companies.
How can consumers protect themselves ? Well, it’s nearly impossible in the age of The Internet and when “plastic” has largely supplanted the use of cash. But nothing says that you have to shop at a retailer that unnecessarily places your personal information at risk, even if its only a potential risk. We doubt that we will be shopping at Target stores again, but if we do, and we are asked for our drivers license in the future, we will refuse and walk out. If collecting our personal data is more important to Target than keeping us as a customer, we will gladly take our business elsewhere, and patronize a business that does not unnecessarily expose us to the threat of identity theft. Speaking of Target, we think that letting retailers scan and capture the data stored in your drivers license barcode is a lot like placing a bullseye on your back.
We are normally happy to accomodate a merchant’s request to provide suitable ID, especially when the transaction involves payment by check or credit card, or we are returning an item, but Target’s policy is unacceptable, and we believe, simply wrong. And we’re not the only one who feels this way. This article at informationweek.com echoes our concerns about Target’s policy. From a purely practical standpoint, we suspect that draconian policies such as the one put in place by Target will backfire, with (even more) people simply deciding to steal the medication. OTC pharmacy items are already the most frequently shoplifted items (see this list of the 50 most frequently shoplifted items). And isn’t it just a bit ludicrous (not to mention, rude) to ask a senior citizen buying cold medicine to prove they’re 18 years old ?
As far as we know, Target customers concerned about identity theft can still do their shopping at Walmart without having to show them your drivers license when buying cold medications. If you are very obviously over the age of 18, and asked for your drivers license at a Target store, we suggest that you decline. If they persist, simply tell them that under the circumstances, you have changed your mind and don’t wish to purchase anything. It won’t take Target very long to realize that their policy is costing them business, and that they need to change it. They might not enjoy having to put all your stuff back on the shelves after you walk out without buying it, but at least your personal data will be safe.
– Routing By Rumor