Skip to content
Naked Security Naked Security

Google quietly bought Mastercard credit and debit card records

The multimillion dollar data buy allows Google to link what we buy in brick-and-mortar stores to what ads we clicked online.

It’s common knowledge that Google knows when we click on ads. But now, it also knows what we buy in brick-and-mortar shops, due to a previously unreported deal it cut with Mastercard to get our transaction histories, Bloomberg has discovered.
The offline credit card spending data, which anonymous Google insiders said cost millions of dollars, gives Google an unprecedented advantage over competitors such as Amazon, by helping it track users’ offline spending in stores.
The deal hasn’t been made public. The two companies reportedly hammered it out over the course of four years, according to four people with knowledge of the agreement, three of whom worked directly on it.
Mastercard has denied suggestions that the data could be used to identify exact purchases, but the Open Rights Group told the BBC that the confidential nature of the deal raises privacy issues.
Open Rights Group legal director Myles Jackman wondered – given that Google can now tell advertisers that people’s clicking on ads led to actual store sales – whether the company will cut any of those people in on the profit:

This raises serious concerns regarding the use of private financial data. Will Mastercard be compensating their clients for the data they have given away to Google for their own financial gain?

Don’t count your micropayments before they microhatch: The answer, of course, is that it will likely be a cold day in retail hell before that happens.
Christine Bannan, counsel with Electronic Privacy Information Center (EPIC), told Bloomberg that this is surprising news for consumers, and it’s not coming with enough context regarding what’s being done with our data or what we can do about it:

People don’t expect what they buy physically in a store to be linked to what they are buying online. There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.

At any rate, both Mastercard and Google are claiming that shoppers’ individual details aren’t being tied to the buying profiles.


A Mastercard spokesman told Bloomberg that the payment company shares transaction trends with merchants and their service providers to help them measure “the effectiveness of their advertising campaigns.” He said that the information – including sales volumes and average purchase size – is shared only with merchants’ permission, and that it’s not tied to individuals:

No individual transaction or personal data is provided. We do not provide insights that track, serve up ads to, or even measure ad effectiveness relating to, individual consumers.

Google declined to comment on the partnership, but it did address a powerful new ads tool – called Store Sales Measurement – that its select partners have accessed over the past year. The tool lets retailers track whether their online ads led to a sale at a physical store in the US: information reliant on a “stockpile of Mastercard transactions” that Google purchased, according to Bloomberg.
From a statement about the anonymization in Store Sales Measurement, provided by a Google spokeswoman:

Before we launched this beta product last year, we built a new, double-blind encryption technology that prevents both Google and our partners from viewing our respective users’ personally identifiable information.
We do not have access to any personal information from our partners’ credit and debit cards, nor do we share any personal information with our partners.

People can opt out of ad tracking using Google’s Web and App Activity controls, the company said.
Mastercard likewise told the BBC that the data it provides to retailers – via its own “media measurement services” – is stripped of personally identifiable information (PII):

We only provide merchants and their designated service providers trends based on aggregated and anonymized data, such as the merchant’s average ticket size and sales volumes.

The “it’s anonymized” line is a familiar one, and it’s one that Big Data researchers love to skewer by doing things like pinpointing people after looking at a bunch of supposedly anonymized credit card transactions.
Bloomberg reports that multiple Google staffers objected to the fact that the Web and App Activity control didn’t provide people with a more obvious way for cardholders to opt out of this kind of tracking.
In the past year, we’ve seen Google employees protest work on both a censored search engine for China and artificial intelligence-enhanced targeting of drone strikes for the Pentagon.
Will Google employees similarly raise ruckus over Google’s hush-hush deal with Mastercard? If so, we’ll let you know.
In the meantime, it’s unknown whether Google has struck similar deals with other payment companies, though one of Bloomberg’s sources said that it’s approached other credit card companies. What we do know is what Google has already bragged about: it claims to have access to about 70% of US credit and debit cards information, shared through partners, though it hasn’t named those partners.
Make of that what you will, but it sounds like Google has brokered its way into knowing an awful lot about the majority of US consumers’ spending activity and is on track to know the same about even more of us. From Bloomberg:

That 70 percent could mean that the company has deals with other credit card companies, totaling 70 percent of the people who use credit and debit cards. Or it could mean that the company has deals with companies that include all card users, and 70 percent of those are logged into Google accounts like Gmail when they click on a Google search ad.
Google has approached other payment companies about the program.


25 Comments

I see no problem with that. Most people use Google to search products anyway. If Google knows what you bought at Walmart and decides to show a related ad, that’s perfect. It makes it easier to find what you like online. It’s better to have ads that are related to my interests than current ads that do not match my interests.

Reply

Presumably if your credit card company does not have an email address for you (or you use a throw away or anonymous one) and you do the same for all your online accounts, it does become difficult for Google etc to link an offline purchase with an on-line ad-view?
Or are they sneaking out personal information like account addresses as “non-identifying”?

Reply

I suppose I might not mind if it stops me being plagued with ads for something I have just bought (or where a visitor has used my wifi to buy things – I know when my daughter has been here because I get ads for disposable nappies).

Reply

A better headline would be, “Mastercard quietly sold Google credit and debit card records”, since Mastercard was originally entrusted with this data.

Reply

Google “rewards” app has recently been asking in surveys
whether you’ve been in a particular shop (that the phone has already reported via location sharing),
and then whether you used cash, credit or debit to purchase in that shop.
Sure looks like cross referencing or validating..

Reply

Why would google waste its money on buying data from Mastercard? It already has access to email and messages on mobile phones that identify the spend through bank messages, credit/debit card messages.

Reply

This sort of thing should only really be OK with an opt-out in place for consumers. A real opt-out, not one of the ‘since you’ve opted out we promise we won’t farm your data (cross fingers, flutter eyelids)’ arrangements that seem to be common among our tech-sector overlords. Given some of their other wins I can imagine the EU leading the charge on such an issue.

Reply

The real question is how MasterCard is legally selling to the highest bidder their customers private information.
Who else are they selling it too?

Reply

Just another sensationalist headline. What company would have and why should they have made a big announcement about that?

Reply

You seem to be saying that Google had no obligation to announce this deal, and indeed that it didn’t announce it. In other words, you’re saying that Google did “quietly buy” the data that the headline mentions – which seems to make the headline entirely congruent with the facts, at least to me.
How data is bought and sold (and how it’s anonymised) is an interesting and important issue in cybersecurity – why shouldn’t we write about this sort of thing?

Reply

It’s going to get the point (or are we already there) that The google, has more information on you than you do. If you can hack The google – you have hacked the world! (+dog)

Reply

It also seems amazing that someone hasn’t raised a complaint when google responds with “you can opt – out within the Google Web and App Activity” controls……unless of course you don’t HAVE a google profile and don’t want one, lest you give them even more information about you and even more tracking tools than they had about you…….that too should be against the law. Opt in only, not sold and every time I see an ad targeted at me specifically on an open platform that I have not logged into, gives me 1984 chills.

Reply

DS, you might like something I’ve been doing on one system at home, Blocking the googles IP addresses, and related CDNs. Reduces adds, speeds up surfing.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!