A Creeping Private-Sector “Checkpoint Society”—and a Small Step to Protect Your Privacy

I was at a Target store recently and threw a bottle of wine in my cart to bring as a gift to a party. Later, when I got to the register, the cashier asked to see my ID. That in itself was silly, because it’s safe to say I’m a few years past the point where anyone might mistake me for someone under 21. But whatever; alcohol age-enforcement has gotten bureaucratic beyond all reason.

I held the ID up for her to see. Before I could react, she took my license from my fingers, held it up to a scanner, and BEEP!

Presto: all the information on my license (I had to assume) was flashed into Target Corporation’s computer system. In my state that includes height, weight, sex, date of birth, full legal name, address, driver’s license number, need for corrective lenses, and organ donor status. Some states’ licenses contain even more information. But the only thing the cashier really needed was to see the year of birth on my license—actually, just the last two digits would be enough.

“I didn’t give you permission to do that!” I objected to her. But the deed was done.

At a minimum, this aggressive grabbing of my personal information by Target was just plain rude. It was also a potentially significant invasion of my privacy (more on this issue here and here).

There are a lot of permissionless seizures of our private information taking place these days, but usually they don’t take such a physical form. Target’s privacy policy, unlike many companies’, does address not only their web site but also their offline practices. But (like so many other companies’) it is so broad that it imposes few restrictions on what they do.

Bars, of course, also routinely ask people for their IDs—and the scanning of licenses by some bars has been reported for years. In 2002, the NYT reported that some bars were using data from patrons’ licenses to compile databases for marketing purposes. There are reports of bars in the US and Canada moving toward using this infrastructure to create blacklists of supposed troublemakers (which raises not only privacy but also abuse and due process concerns). European colleagues report that several countries there have made similar moves towards combining ID checks and blacklists in order to block alleged “troublemakers” from traveling to or visiting certain areas. Other private-sector blacklists are also being created. Some retailers, for example, require customers who are returning an item to permit their driver’s licenses to be swiped so that their returns can be tracked and compared against a secret list of individuals who have made too many returns.

Not long after the Target incident, I went to a meeting hosted in a fancy Washington, D.C. law firm building that, judging by its security procedures, apparently thinks it’s #1 on Al Qaeda’s hit list. As in many buildings, the security guard asked to see my ID—standard silly security—and once again, before I could object: BEEP! My license was data-dumped. I never expected this from a building security checkpoint. I was very annoyed, and started to give the guard a piece of my mind, but like the Target cashier, he was of course just following the instructions he’d been given, and there was nothing to be done. So now I have to presume that the security people at some unnamed building management company have all the information on my driver’s license. (The guard claimed the information was not retained but just used to print me out a temporary badge, but I can’t know how much credence to put in that.)

“Enough of this,” I thought, and while I was upstairs in that meeting, I took the very simple step of tearing a strip off my “Hello… my name is” nametag sticker and covering up the barcodes on the back of my driver’s license. Here is a picture of the back of my license:

The back of my driver’s license, with sticker covering bar codes

That should thwart the next person who tries to grab all my ID information without permission. At the very least, I am now able to enter into a negotiation before any swiping takes place. If someone has a need to scan my license that I recognize as legitimate, such as a police officer who has pulled me over for speeding, the sticker is easily removable. (State laws usually ban “altering” a driver’s license, but it would be hard to imagine anyone claiming that placement of a temporary, easily removable sticker on the back surface of one’s license, with no fraudulent intent, could be a violation of such laws. However, any kind of more permanent erasure of a barcode is probably not a good idea.)

Note that a few states, including California, Rhode Island and New Hampshire, have passed laws limiting third-party access to, and retention of, information on driver’s licenses. The American Association of Motor Vehicle Administrators has proposed model legislation imposing such restrictions, but it is not clear that many states have adopted it.

There are a couple of broader points to make about this experience.

• First, this is one of those all-too-rare cases in which you can take a simple and direct action to protect a little bit of your privacy, which so often is a matter of social policy over which the individual has little control other than through the democratic political process. There’s not much you can do to prevent records being kept of your comings and goings if you use an electronic toll pass, for example—or, credit cards at Target.

• Second, this incident is a reminder of our need for comprehensive data privacy laws that institute the Fair Information Practices—rules recognized around the world as minimum standards for fair treatment of individuals.

• Finally, there has been talk from time to time about putting RFID chips into driver’s licenses. We have fought for a number of years against the inclusion of RFIDs in identity documents of any kind, not only because of the security concerns they raise, but also because of just the kind of thing I’m talking about here—the potential that stores, restaurants and bars, office buildings, etc., will install devices for routinely reading these IDs, leading to an infrastructure for pervasive tracking—and following that, control (for example, through the use of blacklists to exclude certain people from certain places). Passports and Enhanced Driver’s Licenses used for border crossing in some states such as New York, Vermont, Michigan and Washington, already contain RFID chips, but they are probably not common enough that stores or bars would invest in the infrastructure for reading them – at least so far, that we’ve heard of. It’s bad enough to have someone scan your driver’s license without asking—at least you can take control of that as I have done. It would be far worse if they could do so from across the room without you even knowing, or being able to stop it.

Recently, I went back to Target, and added a bottle of wine to my cart to see how they would handle my new, sticker-sporting license. This time, the cashier was ordered by her computer to get my ID from me because I was buying a bottle of soda—before I’d even taken the wine out of my cart. “This happens a lot,” said the nice cashier, adding that while the soda appeared to be some kind of bug, there were other non-alcohol products that persistently required that the cashiers scan IDs. Internet reports indicate some stores are requiring ID scans for video games sales and even compressed air, for example.

She took my ID and tried to scan it; when it didn’t work she didn’t bat an eye, as apparently it’s routine that some IDs are “non-scannable.” She had to call a supervisor to over-ride her computer’s insistence that she scan an ID.

I called Target to ask them about their policy and they emailed me a statement that said:

Swiping a guest’s ID allows Target to verify the age or identity of guests with a simple process. It also allows Target to control the sale and distribution of restricted products.

When swiping a guest’s ID, Target only retains the data that is relevant to the type of transaction. For example, in the case of your alcohol purchase, only your date of birth was retained with the receipt. Information obtained during the ID swipe is not used for any other purposes.

It is very good to hear that they don’t retain all the data from scanned licenses or use it for other purposes. Though, I don’t see why they have to retain date of birth, which is a powerful piece of information frequently used to uniquely identify a person and disentangle their data from others’.

I am going to leave that sticker on my license.

Companies are in the business of making money, and as long as nobody stops them, they are likely to continue using every stratagem at hand to collect our personal information that is so valuable to them. There are two ways to stop them: A) enacting laws, and B) consumer pressure. The first is vital, and we need to keep working on that, but meanwhile shoppers should take whatever small steps they can to defend their data from grasping hands.

Add a comment (12)
Read the Terms of Use

Tinfoil 2.0

Typically the only information needed to be verified or retained from an ID check is a very coarse: "under 18", "under 21", "over 21". DOB should definitely be off-limits unless required by law.

I've been considering making a label to cover parts of the front of my license too, leaving only year of birth visible in the DOB field, and blocking out my middle initial and address, for example.

Arthur

Just in case you weren't sure: the age-check for video games is due to the store trying to comply with the voluntary ESRB guidelines for age-appropriate content and the age-check for compressed air is due to a 2005 report of a kid who died trying to use a can of compressed air to get high.

Anonymous

In Utah they made a change in liquor laws but had to make some negotiations with The Church of Jesus Christ of Later Day Saints to do so. Utah use to require membership in a bar or club before you can buy any liquor. This was removed and in it's place is a law requiring bars and clubs to scan a persons drivers license in order to stop underage drinkers from forging license which was a concern by the LDS church if the membership requirement was dropped. In addition, the police received and are currently using state of the art license plate scanners in the parking lots of bars. With the drivers license information and platescans, I wouldn't be surprised if the local police have compiled a database of people who frequent bars to treat as potential DUI drivers for frequenting bars even if the person could be a designated driver and not drink. It's scary what is collected and stored by the government and private industry and there should be privacy laws to protect us from abuses by all levels of the Government and also private industry.

Anonymous

Seeking an attorney to begin a class action suit against Target Stores for this unauthorized ID scanning debacle. A website can be established and then upset customers, like me and hundreds or thousands of others, will contribute a few dollars that in the aggregate will cover attorney’s fees to get this started. Target cashiers are obviously under some distress over being forced by supervisors to do the unauthorized scanning. Their deposition testimony will be interesting. Subpoena’s of Target’s scanned ID data will also be very interesting. Rather than simply bitch on these complaint websites, let’s get organized and stand up for what’s right!

Anonymous

I have in the past successfully requested that my license is inspected visually by a supervisor, upon which the supervisor enters my d.o.b. and her id code to authorize the scan override. This almost always works. Today however, the supervisor claimed it could not be done. We argued. She refused to even try. I left all my merchandise at the register (everything, not just the item that required ID) and walked out. After I got home I lodged a complaint with the complaint dept.
I am not too worried about giving my date of birth because I pay cash so it's useless information. But I really like the sticky strip. I will do that in case they try pull a fast one on me. Another option is not to let the license leave your hand.

Anonymous

Ok conspiracy theorists, get a life. As a target cashier, people like you make me hate my job. The government has no access to your information, as told by target privacy policy. If you're so goddamn unhappy with people scanning your license, your doomed to shop happily anywhere. There's more important things to scanning a license than your hissy fit, like kids overdosing on medicines or dying from an attempt at getting high off of compressed air, or the meth lab in your neighborhood due to an over buying of NyQuil/DayQuil. Get over yourself and stop attempting to put millions of target employees out of work by a fucking lawsuit. Do both of us a favor and stop shopping there. Please an thank you. Ps you're a paranoid freak

Anonymous

There is a HUGE amount of ignorance and naiveté in the post of Feb 17th. Target, or any others who scan what should be your personally protected information into their database can change their privacy policies, get hacked, compile valuable personal data on you that once out of the bag cannot be put back in, or otherwise compromise your basic right to privacy and anonymity at any time. It is not necessary to scan a driver's license in order to verify that you are legally able to purchase an item. Nor is it necessary to compile a list of shoppers who purchase things such as Sudafed. They can do that by using your driver's license number instead as it is more anonymous than your name yet identifiable by law enforcement if need be. They do not need your name, address, ht, wt, gender and FACIAL RECOGNITION information (the data is already coded into your license) to verify your age or maintain a log. They do not need to scan any of that information into a database that I guarantee is retaining every bit of it. We are not conspiracy theorists, we are thinking men and women who are AWARE of underhanded tactics that most of the public simply runs right by on their way to jumping off the cliff with other lemmings. They can and have visually confirmed shopper information for many years. Why do think they are now scanning your license and all of the information contained therein into their database? It's called DATA MINING and don't think they do not have the ability to tie it to your receipt, the items purchased, your in store 'customer loyalty card,' any charge cards you use for payment AND a facial recognition program that sees you the moment you enter the store then sends your phone targeted advertising paid for by the good folks at Johnson & Johnson, Nestle or Coca-Cola. WAKE UP...you're in the new millennium! Have you not noticed that our world has become more and more like the movie 'Minority Report' with each advancement in technology??? By a vowel and get yourselves a clue little miss sunshine. BTW, suing the corporation who uses these tactics is more like many people taking their personal time to protect your fanny than it is about taking jobs away from the little guy, that's the result of CEO compensation and upper level management's greed. You need to come back from over the rainbow and open your rose colored eyes to the world in which we live. I am grateful to those who took steps to protect our rights while others remain in blissful ignorance.

Anonymous

It is not necessary to scan a driver's license to verify your age or compile a list of shoppers who purchase things such as Sudafed (for which they could use your driver's license number as it is more anonymous than your name yet identifiable by law enforcement if need be). They are collecting your name, address, ht, wt, gender and FACIAL RECOGNITION information (this data is coded into your license) and retaining every bit of it. They have the ability to tie it to your receipt, the items you purchased, your in store 'customer loyalty card,' any charge cards you use for payment AND a facial recognition program that sees you the moment you enter the store. They can use it to send your phone targeted advertising paid for by the good folks at Johnson & Johnson, Nestle or Coca-Cola, depending on what your spending habits are. Your purchase records can also be used against you in court (been done already). Finally, CEO compensation and upper level management greed is what takes money from the working man, not lawsuits brought about by people spending their valuable time to protect my rights. Anyone who has scanned your license can change their privacy policies, get hacked, or otherwise compromise your basic right to privacy and anonymity at any time. They are compiling valuable personal data that once out of the bag cannot be put back in.

Anonymous

It is not necessary to scan a driver's license to verify your age or compile a list of shoppers who purchase things such as Sudafed (for which they could use your driver's license number as it is more anonymous than your name yet identifiable by law enforcement if need be). They are collecting your name, address, ht, wt, gender and FACIAL RECOGNITION information (this data is coded into your license) and linking it to your receipt, the items purchased, your in store 'customer loyalty card,' any charge cards you use for payment AND a facial recognition program that sees you the moment you enter the store. They can send your phone targeted advertising paid for by the good folks at Johnson & Johnson, Nestle or Coca-Cola depending on how you shop. Your purchase records can also be used against you in court (been done already). Anyone who has scanned your license can change their privacy policies, get hacked, or otherwise compromise your basic right to privacy and anonymity at any time. They are compiling valuable personal data that once out of the bag cannot be put back in. Finally, CEO compensation and upper level management greed is what takes money from the working man, not lawsuits brought about by people spending their valuable time to protect my rights.

Anonymous

wonder what the target cashier thinks now. avoid this .

Pages

Sign Up for Breaking News