CheckOut: User-Controlled Anonymization for Customer Loyalty Programs
Authors: Matthew Gregoire (University of North Carolina at Chapel Hill), Rachel Thomas (University of North Carolina at Chapel Hill), Saba Eskandarian (University of North Carolina at Chapel Hill)
Volume: 2024
Issue: 3
Pages: 224–245
DOI: https://doi.org/10.56553/popets-2024-0076
Abstract: To resist the regimes of ubiquitous surveillance imposed upon us in every facet of modern life, we need technological tools that subvert surveillance systems. Unfortunately, while cryptographic tools frequently demonstrate how we can construct systems that safeguard user privacy, there is limited motivation for corporate entities engaged in surveillance to adopt these tools, as they often clash with profit incentives. This paper demonstrates how, in one particular aspect of everyday life -- customer loyalty programs -- users can subvert surveillance and attain anonymity, without necessitating any cooperation or modification in the behavior of their surveillors. We present the CheckOut system, which allows users to coordinate large anonymity sets of shoppers to hide the identity and purchasing habits of each particular user in the crowd. CheckOut scales up and systematizes past efforts to subvert loyalty surveillance, which have been primarily ad-hoc and manual affairs where customers physically swap loyalty cards to mask their real identities. CheckOut allows increased scale while ensuring that the necessary computing infrastructure does not itself become a new centralized point of privacy failure. Of particular importance to our scheme is a protocol for loyalty programs that offer reward points, where we demonstrate how CheckOut can assist users in paying each other back for loyalty points accrued while using each others' loyalty accounts. We present two different mechanisms to facilitate redistributing rewards points, offering trade-offs in functionality, performance, and security.
Keywords: privacy, security, cryptography, applied cryptography, surveillance, obfuscation
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.