The Sum of Your Parts: Business Analytics and Unique Identifiers

20 06 2012

We haven’t been properly introduced.  I’m that guy from your Intro to Information Security course, but you probably know me better as:

  • ·00:10:FA:49:6B:E9
  • ·
  • ·SSIDs Starbucks & Caribou
  • ·Mozilla/5.0 (Linux; U; Android 2.3.3; en-au; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.12011-10-16 20:22:55
  • ·Cookies: text-based, encoded, unsweetened
  • ·Target Guest ID #34980292

I Really Want to Sell You Stuff

If you have found this blog post, chances are that you may be technology oriented and are likely quite knowledgeable on the modern information security threat landscape.  But are you paranoid?  Would you give your name or home address to a complete stranger?  Would it bother you if someone knew your every move?  Would you share details of the technologies that you rely upon with strangers flexing hacker skillz?  Are you confident in your ability to maintain your anonymity?

Aristotle put forth that “the whole is more than the sum of its parts”.  Sure, this sounds noble and speaks to the humanity of man- but is it still true?  What if the sum of your parts is really the sum of every commercial transaction conducted over the course of your life?  BBC News estimates that value to be $1.94M [1].  It is safe to suggest that their are entities in the world that place more value on that dollar amount than on the whole of you.  Business analytics are scary.  ComputerWorld and SAS would have you believe that “business analytics are predictive as well as historical, which requires a cultural shift to the acceptance of a proactive, fact-based decision-making environment, providing organizations with new insights and better answers faster” [2].  In other words, its the science of selling to consumers by learning everything they can about them, fusing that knowledge with behavior analysis and wrapping it up in a custom marketing campaign tailor made for you.

Who Exactly are “You” and How Do Businesses Get This Data?

You are the sum of your parts.  In the Information Age your parts are the menagerie of unique digital IDs that you litter throughout the real and virtual worlds.  Digital devices have MAC addresses, IP addresses, user-agents, usernames, cookies and countless others.  From each of these IDs business are able to glean valuable pieces of information.  It may be something that you are, something that you like or even where you were when the information was collected.  Each of these adds context to “you” and once correlated in a database will ultimately paint the real “you” in fine detail.

First, lets look at that phone in your pocket.  I bet you love your new iPhone.  It really is hard to remember life before mobile YouTube hilarity.  However, those data plans are really expensive.  Lucky for you that you outwitted the phone company and configured your phone to milk free wifi wherever you go- good for you.  Wrong.  In an effort to ease the process of attaching to networks, your phone constantly throws SSID Probe Requests out into the world [3].  These Probe Requests reference every network that you have ever attached to- looking for old friends.  This means that 00:10:FA:49:6B:E9, aka the unique MAC address of that guy’s phone, is throwing out Probe Requests for the “Starbucks” and “Caribou” SSIDs that it connected to last week.  Now, anyone within earshot listening in the 2.4Ghz 802.11 spectrum has learned that 00:10:FA:49:6B:E9 is in the area and has been to Starbucks and Caribou.  Analysis on this data may or may not support that 00:10:FA:49:6B:E9 likes coffee.

Lucky for 00:10:FA:49:6B:E9, it found a seat in a Starbucks and decided to order that Father’s Day gift it has been procrastinating.  Who doesn’t love Amazon and free shipping with an Amazon Prime membership?  This time, however, you aren’t known as 00:10:FA:49:6B:E9- in the case of Amazon it knows you as, the first public IP address between the webserver and you.  In this case, you are known as the ingress IP address into the particular Starbucks where you are sipping your Grande Americano.

Coupled with your IP address Amazon also knows you as your user-agent.  User-agents are a string of data that tells a webserver what tools it has to render the information to the user.  So a developer may have a different website that it wants to send to Internet Explorer as opposed to Firefox.  So in addition to you are also sending Amazon:

Mozilla/5.0 (Linux; U; Android 2.3.3; en-au; GT-I9100 Build/GINGERBREAD)             AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.12011-10-16    20:22:55

Maybe you knew your browser coughed up that much data about itself, or maybe not.   Either way, Amazon now knows that you are on a mobile device running Safari as your browser while you sit in Starbucks.  Analysis on this data may or may not support that likes coffee.

So now as far as Amazon is concerned you are just some random public IP address and web browser combo.  Wrong.  You are the entity that looked at that weird spatula/tong grilling tool last week for your Dad but never completed the transaction.  Your cookies betrayed you.  No, not the delicious chocolate chips in the Starbucks display case- it’s those text-based cookies in your web browser, laden with items that you dropped in your online shopping cart, some tracking data and any unique identifiers like your username.  Cookies started out as helper files used to customize the user experience between the web browser and the server, but over time companies started “surreptitiously planting their cookies and then retrieving them in such a way that allows them to build detailed profiles of your interests, spending habits, and lifestyle” [4].

Now that you understand that it isn’t a coincidence that the rug you almost bought on didn’t just happen to be advertised on the next seven websites you visited, lets take a look at how far companies are willing to go to monetize the relationships that they develop with each customer.  Fancy Wal-Mart, otherwise known as Target, uses the Guest ID number as the ordinal in each shopper-merchant transaction.  This means that your rewards card, credit card numbers and any other unique data is linked back to the Guest ID.  Over time, when combined with state of the art predictive analysis, Target is able to focus its personal marketing campaign at a guest with frightening accuracy.  As reported in in the New York Times, a key goal is to identify and aggressively market expectant mothers as they enter the second trimester- just prior to nesting and the onslaught of baby related purchases [5].

Modern behavioral research is focused on the minutiae of who you are- specifically, that you are the sum of your habits.  According to Duke University, your habits account for 45% of the decisions that you make each day- not conscious thought [5].  So let’s put the pieces together.  Businesses have cracked the code on collecting data that you both intentionally and inadvertently have shared with them.  They know that 45% of your decisions are based on habit and that you spend about $1.94M throughout your lifetime.  They know enough about you to predict your habits, travels, wants and needs.  I can’t say with a straight face that companies have lists of your MAC addresses or that they mine your Probe Requests- yet.  But its not a reach to see that if they were there could be value gleaned from the data.  My goal was to facilitate a small discussion on what kind of data you litter throughout your day and for what reasons businesses may be interested in collecting and analyzing it.  So I will close with two questions:  how much are the sum of your parts worth, and are you paranoid?


[1]  BBC News.  (2005, April 26). People ‘spend £1.5m’ during lives.  Retrieved June 15, 2012, from BBC News:

[2]  MarketWave.  ComputerWorld & SAS. (2009). Defining Business Analytics and Its Impact On Organizational Decision-Making.  Retrieved June 15, 2012, from:…/sas_defining_business_analytics_wp.pdf

[3]  Wuergler, Mark.  (2012, March 5).  Secrets in Your Pocket.  Retrieved June 15, 2012, from Prezi:

[4]  Cookie Central.  The Cookie Concept.  Retrieved June 15, 2012, from Cookie Central:

[5]  Duhigg, Charles.  (2012, Feb 16).  How Companies Learn Your Secrets.  Retrieved June 15, 2012 from:




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: