Feedback on the BonusCard Swap Meet

I got a lot of feedback and interest in the Bonus Card Swap Meet site, almost all of it positive. I've included almost all of it below, including a number of e-mail interviews I did that never got published.

Rob's Giant BonusCard Swap Meet

Kelli Farrell

Kelli Farrell is a netizen and annoyed Safeway club shopper.

27 Dec 2001 17:20:57 -0500

"Safeway is another grocery store with annoying cards. As soon as I find mine, I'll email you a scan of it. I just printed out one of the cards on your site and sent my mother off to the grocery store ~ she hates those cards with a passion. I'd love to see you make an "official" giant bonus card!"

I'm happy to see that enthusiasm for the swap meet hasn't gone away completely, and I will gladly add any cards that are sent to me into the system. We really are reaching the limits of effectiveness for a crude little open database like what I originally set up. However any suggestions for how to make this a more effective proof of concept system will be gladly accepted, please e-mail me.

Andy Cervantes

Andy Cervates is the Chief Operations Officer of the Privacy Foundation at

Sun, 28 Jan 2001 15:52:41 - 0400

Andy Cervantes: Rob, hey, ijust found your bar code forger. Pretty nifty trick. Nice work. That data is already appearing in court cases.

Yep, and automatic detection of simultaneous hazardous household chemical purchase. Don't use your BonusCard for two bags of fertilizer and a portable gasoline container.

At least, that's what John Jasen tells me...

Columbus Alive Interview

J. Caleb Mozzocco is a reporter with Columbus Alive, a weekly alternative newspaper based in Columbus, Ohio online at

14 Jun 01 14:06:11 -0400

Caleb Mozzocco: Hi, my name is J. Caleb Mozzocco and I'm a reporter with Columbus Alive, a weekly alternative newspaper based in Columbus, Ohio (you can check us out online at I'm working on a cover story about the discount/loyalty cards that are so prevalent in grocery stores these days.

Basically, the last chain of supermarkets which was holding out on the program in our area finally instituted their own cards, and

I'm working on a story on the opposition to the cards. I came across your name and site while running searches on the Internet for cconsumer advocay groups, sources of opposition, etc.

I see from your site at that you have been active in a sort of opposition (or at least circumvention) to similar card programs by genereating barcodes for cards? I'm looking for opinionated people opposed to the cards to inteview for my article--I realize you're a long way from Ohio, but this is a national issue as much as a Central Ohio issue. Would you be interested in chatting with me about what you've been doing over the Internet witht he Giant cards? If so, please feel free to contact me via any of the avenues below. Additionally, if you have been in contact with anyone in Ohio or the Mid-west who you think might be interested in talking on the subject, could you please feel free to pass on my number?

Thanks for your time, and I'll look forward to hearing from you soon.

A couple of messages where we just worked out how we would do the interview. We decided a long e-mail volley would be fine, then I never heard back from him, so I'm going to repost his questions and my answers here.

Date: Fri, 15 Jun 2001 14:14:58 -0400 (EDT)

Okay, here goes...

First, I'd like to ask some personal background, much of which I saw posted on your website. You mentioned you worked for KCI Technologies, Inc...what do you do there, and what kind of company is it (we needn't put the company name in the article, but I was just wondering your occupation so we can write "Rob Carlson, a fireman from..." or "Rob Carlson, a computer programmer in..", etc.)

I'm a web applications programmer for KCI Technologies, Inc. in Hunt Valley, MD. My formal title is Web Programmer.

You live near Baltimore? What's the name of the city/town you live in?

I live in Catonsville, MD, which borders on the Southwest corner of Baltimore City. By the time you run the story I'll probably be living in downtown Baltimore, so Baltimore is fine.

If you don't mind my asking, how old are you? (again, just so we can write "Rob Carlson, 31, of blah blah blah.." you don't have to answer if you don't want to).

I'm 21.

Okay, now on to the cards themselves...

What supermarket chains are there in your area? Are there any that do not offer somekind of bonus/loyalty/shopper's club discount card?

The major chains in the area are Giant, Mars, and Metro. I do most of my monthly shopping (yes monthly-- I'm a bachelor :-)) at Metro, and treat Giant like a big convenience store since there's one within walking distance from where I work, and one just five or six minutes away from my house.

Do you have any yourself? Have you ever?

I got a Giant BonusCard when the woman at the register actually went and got me one because I would save $15 on some decorative fountain that I wanted to buy. I joke about the fact that it actually belongs to Damian Michaels, the guy that lives under my bed. I honestly can't remember if I was lazy enough to use my real name or not, though. In any case, the only card I own is the card in the picture on my site.

In general terms, what are your feelings on these types of cards? Do you think they offer a real service to customers (saving them money), are they simply a marketing tactic to get people to shop at the store, are they, as some people believe, just a way to get personal info from customers and track their shopping habits?

Giant used to offer the lowest prices of all the supermarkets in the area. Once the BonusCard came out, they raised their prices, and then lowered them again for BonusCard customers. So it _looks_ like you're getting special savings, but it's the same prices they were offering to _everyone_ before they started this whole deal.

Meanwhile, Metro just has across the board low prices and sales, so I shop there and treat Giant like just another big convenience store.

Their goal is to build customer profiles, which is respectable. I mean, they always knew what stuff was being sold though their store inventory systems, and they could just as easily get an order-by-order list of stuff that was bought each time a customer came to the checkout line. What they didn't have is what's known as a "persistent identifier." On the Internet these take the form of the well-known Cookies. In the supermarket, it's your buyer's or "club" card. With this, they can show how their different pricing schemes have affected the buying patterns of a large number of individual customers over time, and associate the buying habits of customers with their name and address.

Could you tell me a little bit about what you do at your Rob's Giant BonusCard Swap Site, as far as what goes on there? How did you come up with this idea, and how exactly does it work? Do you have to sign up for a card, and then replace the assigned barcode with a new one, or...?

The idea origially came from David Lesher, who mentioned it on an Internet mailing list. A few days passed, and nobody mentioned that they were going to follup up on it, so I did. I did this because it sounded like a neat project that wouldn't take a lot of time, and it would attract attention to the goal and implications of club cards and let me show off my programming skills at the same time.

You have to have a valid card number that's in their system, but they'll give them out to anyone who asks and fills out a short form.

Do you have one of these cards you've made or altered yourself? Do you make them for people who request them, or does your site just serve to show interested and knowledgeable people how to go about making them? If you do have and use a card you made/altered yourself, have any of the cashiers ever caught you/became suspicious about it?

I was thinking of altering one of my cards, but I never got around to it. What finally wound up happening as that Giant integrated the customer phone number database into their cash register system, so you can type your telephone number into the credit-card console at the register and it's just like the cashier scanned your bar-coded card. So now when they ask me for my card, I shrug and ask them if I can use my phone number instead. They tap a key on the cash register, and then I enter in the phone number of any one of a dozen of my friends who have BonusCards and get the savings at the register without giving up my privacy.

What is the intent behind this, is it a way to receive the savings from the store without surrendering personal info?

It's partially that, but really it's what's known in the computer security world as a "Proof of Concept." For example, I could tell you that there's a way to get access to or break a computer system by following a series of esoteric instructions. And you'd probably smile and nod because it really doesn't have any significance to you. But if I write a program that does the same thing in such a way that anyone can use it to exploit the vulnerability of the system, then you have to pay attention, because suddenly it isn't just a concept anymore.

It's the same thing for Giant. One of the big holes in these systems is that there's no way to _really_ know that the person giving you the card is the same person. But it's not a big concern to Giant because the effort required for the typical person to swap their cards regularly with someone else is so high. But now I've put an easier way to do it up on the Internet that's accessable to everyone. It proves that their system isn't perfect, and causes the people who visit to check it out think about the system as a whole.

On the site it said you can only do this for Giant cards, but were open to doing other stores' cards, have you started doing any others?

No one has sent me any pictures or examples of other cards. As soon as someone does, I'll be glad to add other stores onto the page.

When someone signs up for a Giant BonusCard, what info does the company ask for (just name and address? phone number? Social Security number? Driver's license?)?

On the Giant website, they ask for name, address, phone number (optional) and e-mail address (optional). I believe that's the same information they ask for on the paper form.

Now, to play devil's advocate, I'd like to bounce a couple of people's arguments off you for your input.

Many supermarket companies claim the cards are a way of rewarding the loyalty of consumers (the savings go to the people who have the cards and shop there all the time, rather than casual shoppers). What's wrong with that?

There's absolutely nothing wrong with that. In my opinion, though, supermarkets tend to seriously downplay their actual use of the card in tracking individual cusomers. If customers are willing to trade their privacy for additional savings then they have that right, but they should also be aware of how the data they provide will be used.

By being able to track consumers' purchases, the store can better serve their shoppers. For example, if a store in a certain area seems to buy a lot of Asian foods, that particular store can expand its Asian food aisle, etc. Does this seem like a valid concern to you?

In this respect, the store gains no advantage using a club card system over their computerized inventory system. The store can easily track the types of products that are purchased, stolen, spoiled, and so on. That's just good business practice. And if they notice that the Asian food aisle needs to be expanded, they'll see that by how quickly the inventory of those products needs to be expanded. If they want to know which products to stock next to each other in the aisles, they can do that without club cards too. All they need to do is save a virtual copy of the customer's receipt at the register and they know which products the customers (anonymously and en masse) are purchasing together.

What club cards do here are to allow the store to see trends and statstics in the purchasing habits of an individual (or at least, an individual club card) and market to them directly. This might take the form of special coupons printed at the register for them, or maileed directly to their house. But it really has no effect on how inventory is stocked in the store.

Finally, some card opponents would argue that trading or altering cards or providing false data doesn't really help do away with cards or hurt the stores, since the stores still get the consumers' money and they still get a countable "statistic." How would you respond to this?

It's true. The only thing that card swapping does is allow the customer to take away the savings at the register without the risk of having a detailed individual profile built from their shopping habits. If a few privacy conscious people can do this, and Giant and other stores don't care, than the web site has done its job.

Besides, the friendlier cashiers have been doing this since the inception of club card programs. It's been my experience that if you smile and say you don't have your card, they'll be more than happy to use their own or a well-worn card that they keep on the top of the register to keep you a happy customer. It certainly doesn't cost the cashier anything to do.

Okay, well that should be a good place to start. I realize I packed in quite a few questions, so please feel free to take your time and get back to me at your leisure. I really appreciate you taking the time to read all these questions and answer.

Carl Ellison

Carl Ellison is a member of the ACM.

Carl Ellison: Are those sequence numbers in sequence? Can we just start generating new ones?

Well, not until we establish a bigger set for pattern detection.

So far I haven't been able to cull out a good sample from all these visitors. I had five when they started coming. I have seven now. Apparently people in Hong Kong don't carry Giant cards.

Right -- I don't either. Sorry I can't help. Of course, even when I lived in Balmer, I refused to get one.

I still don't have enough data.

Dan Bornstein

I've also had some interesting conversations with Dan Bornstein. Well, interesting to me anyway, so I won't bother reprinting them here. In short, when I first posted up the page I forgot to give him credit for his barcode program that I used to generate the page from the output of the database. Around noon on January 28, 2001 he wrote me to ask if I was using his code. Completely moritified by my mistake, right away I gave him a nice big link to his Barcode Server program and personal page. He happily reciprocated, giving me a lot of steady traffic since January. A few weeks later on April 2001, Dan wrote me personally to tell me about the new version of his barcode server with some really neat news: "it now supports a form which approximates those frequent buyer cards, and it'd probably be pretty easy for you to make a slight tweak to the code to get the height just right," he wrote. I never really needed to do the tweak, and now this site looks even cooler thanks to his efforts.

Declan McCullogh's Politech

The Politech post that got me all the links.

From: Declan McCullagh <>
Subject: FC: Fed up with those supermarket discount cards? Make your own
Precedence: bulk
Date: Sun, 28 Jan 2001 12:38:45 -0500

Me, I hate those Giant discount cards that you have to give up your 
personal information to get. This is the free market at work, of course: I 
value my privacy and relatively-empty meatspace mailbox more than the 
discounts I'd receive. Besides, I usually shop at Fresh Fields on Wisconsin 
Avenue anyway. (For those of you outside the mid-Atlantic states, Giant is 
a large supermarket chain here.)

Swapping supermarket cards has long been a staple of cypherpunks meetings, 
of course, but Rob Carlson has taken it a step further, and I thank him for it:


POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit
This message is archived at

Derek Hampton

By far the most interesting mail was from Derek Hampton, who knows my current housemate and benevolent Internet provider.

Mon, 29 Jan 2001 00:12:33 -0500

Derek Hampton: i saw this mail and went to check out the site. when i looked at your main site i noticed you live in MD and dale hosts your site. i know dale from the old digex days when we sat next to eachother in cubes and i was a newbie who harassed him w/a million questions.

anyway, i thought your giant idea is interesting although i'm not too sure how it's going to help me get more savings when i go and grocery shop(my wife actually does use her giant savings card). it hink it's a cool idea regardless.

talk to you later...

/derek --

I only pepper him with half a million.

It won't help you get more savings. Perhaps it might get you even less if someone else gets your fifth gallon of milk for free, but it does protect your privacy and let you keep the bulk of the special offers.

Thanks for the good feedback.

Domonique Ritter

Dominique Ritter is Managing Editor of Adbusters Magazine of Vancouver, B.C., Canada on the web at

Fri, 9 Feb 2001 14:28:25 -0800

Dominique Ritter: Hi Rob, Greetings from Adbusters. We like the sound of your bonuscard scheme - can you tell me more about it? Cheers, Dominique

Sure, what would you like to know?

I'd like to know any details you can tell me -- how people are doing it, what the object is, how exactly it works (do you need a bonus card to shop at this store?), whether it's been found to be effective, if there are any stories about people being found out, or simply being referred to by the cashier as "Mr. Wopsle"...

Any news would be appreciated.

Giant used to offer some really good deals to all its customers, but in the last year switched to a club card system where these really good deals only go to people who have registered for their free card.

So far thousands of people have visited the site, 10 have submitted their card numbers to the system and nobody has sent me any information about other supermarkets. It's basically a quick-and-dirty "proof of concept" to show that at this point you can work around the system and keep your privacy _and_ get the savings if you desire.

So far nobody's given me any feedback as to whether they've actually used it, or any interesting stories.

I never heard back from her. Oh well, Adbusters never thrilled me anyhow.


A guy named FireSnake wrote me on Fri, 1 Jun 2001 19:37:14 GMT in broken English from Portugal to say that supermarkets in his country. Nice way to find out this is a pretty widespread issue these days.

Jim Rosenberg

Jim Rosenberg is Business & Economics Reporter for WAMU FM in Washington, DC, on the web at

On 20 Feb 2001 13:46:10 Jim Rosenberg wrote to ask me about the BonusCard site and if I'd like to be interviewed.

I'm Jim Rosenberg, reporter for NPR affiliate WAMU here in DC. I get Declan M's politech list - and read about your Giant card page a few weeks ago. Has there been much traffic to the page? Has Giant contacted you about it? Would you be interested in being interviewed about it & why you decided to set it up? Who else should I talk to? Are these the most questions you've ever seen in one email?

Much is a subjective term. I've had 3165 hits on that page since I put it up on Jan. 25. Some repeat traffic, mostly individual users. Declan's list was a real boost.

Giant hasn't contacted me about this, although I'm sure by now someone there must be aware of it.

I decided to set it up because Giant used to offer some really good deals to all its customers, but in the last year switched to a club card system where these really good deals only go to people who have registered for their free tracking card. It's mostly done in the spirit of randomness and "somebody ought to do that" thinking. So I did.

So far thousands of people have visited the site, 10 have submitted their card numbers to the system and nobody has sent me any information about other supermarkets. It's basically a quick-and-dirty "proof of concept" to show that at this point you can work around the system and keep your privacy _and_ get the savings if you want.

So far nobody's given me any feedback as to whether they've actually used it, or any interesting stories.

No, I wouldn't mind being interviewed, but I'd hope it would be as part of a larger program because there isn't much meat in this story alone. David Lesher thought up the idea on the DC Cypherpunks list and I had a few extra minutes, so I wrote the code for it.

Where I work, I get questions all day long. Five more won't break me. :-)

We did an interview on the phone the next day or the day after that. I didn't record it, but I did keep my quick-reference cut-sheet. On Thu, 22 Feb 2001 he wrote to say he was pushing the story to the next week, but I never heard anything back. On June 15, 2001 I asked him what had happened to the interview, to which he replied:

We never ran the story - it got lost in the shuffle here...I may revisit it at some point. And we don't release raw tape of stuff - so I can't give you a copy of the interview. Sorry.

Hopefully the story will run one of these days before it gets stale.

Nancy Werlin

A friend of Nancy Werlin sent me some e-mails around May 26, 2001 to discuss card swapping and store sign-ups. Evantually, she volunteered to drop a note to Ms. Werlin to see if it was all right to link to her book site from here. Naturally she had no problem with it and was actually kind enough to send me a copy of her book which I enjoyed very much.

David Lesher

David Lesher is the gentleman who planted the seeds of dischord in my mind. Thanks. This is his original post to the dccp list.

From: David Lesher <>
Subject: Giant Bingo anyone?
Date: Fri, 5 Jan 2001 18:23:43 -0500 (EST)
To: DCCP list <>

I happen to have a new Giant discount card. [1] While they do
give you 3 sets of barcode plastic, it occurs to me that the
clerk only sees the backside. A laserprinter could easily make
barcode that you just paste onto your card...

(But that would be naughty, as it would really screw up Giant's
tracking of what a vic^H^Hperson buys and where.)

We might even have a Giant card-of-the-month post here...

1] Mine? Well, not really... it belongs to Mr. Yardley, Herbert
O. Yardley of Annapolis Junction MD.. But he said it was OK if
I used it....

A host is a host from coast to
& no one will talk to a host that's close........[v].(301) 56-LINUX
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433

Rob's Giant BonusCard Swap Meet