A new Google program designed to match credit and debit card transaction data to the online activity of Google service users is being described by the company’s executives as a ‘revolutionary breakthrough’ in advertising – but secrecy surrounding Google’s methods has got many in the data security industry asking questions.

Anonymous and Encrypted

The new program, titled Store Sales Measurement, works by accessing credit and debit card transaction records and matching them to the online activity of Google users to definitively prove that online ad clicks lead to real life purchases in physical shops. Google calls the program revolutionary because it will mark the first time that both online and real life activity can be accurately measured, analyzed, and compared – a breakthrough for advertisers who want to track the efficacy of their campaigns from the online world to the offline.

Regarding data privacy and safety Google claims that the mathematical formula used to analyze the data first encrypts it, therefore ensuring the safety and privacy of user data involved. However the tech giant has thus far refused to disclose which card companies it is getting its information from, admitting only to having access to around 70% of all US customer records. They are also yet to disclose how the data is being stored or shared and exactly how it is being encrypted, insisting only that their ‘custom encryption technology’ ensures individual data cannot be accessed by Google and that advertisers receive only general analysis.

Informed Decisions

For some data security experts, taking Google’s word for it is not enough. Privacy rights watchdog the Electronic Privacy Information Centre is now asking the Federal Trade Commission to launch an investigation into the program, stating that Google’s encryption technology should be independently regulated to make sure it’s not vulnerable to a security breach. The watchdog pointed out that CryptDB, the system SSM is believed to be based on, has been breached before including one high profile healthcare database hack in 2015.

EPIC also points out that it doesn’t seem like explicit permission has been given by the consumer to have their data used in this way and that no clear opt-out option has been made available. They believe that Google needs to be more transparent about its partners and use of data for SSM so that customers might make more informed decisions about which card companies to use and where to shop if they don’t want to be tracked.

Indeed, since the program involves the gathering, processing, and storing of private data, many are questioning whether it shouldn’t come under the umbrella of PCI DSS legislation. The way SSM is dealt with will set an interesting precedent when it comes to PCI DSS and advertising and we now watch with interest to see whether the FTC will uptake the complaint and investigation.

It will also be worth monitoring whether the US investigation prevents this new Google innovation from reaching Europe, where with GDPR looming, more stringent data protection guidelines are on the nearby horizon.