PATRICK J. LEAHY, DIANNE FEINSTEIN, CALIFORNIA CHARLES E. SCHUMER, NEW YORK RICHARD J.

DURBIN, ILLINOIS SHELDON WHITEHOUSE, RHODE ISLAND AMY KLOBUCHAR, MINNESOTA AL FRANKEN, MINNESOTA CHRISTOPHER A. COONS, DELAWARE MAZIE HIRONO, HAWAII

VERMONT,

CHAIRMAN

CHARLES E. GRASSLEY, IOWA ORRIN G. HATCH, UTAH JEFF SESSIONS, ALABAMA LINDSEY O. GRAHAM, SOUTH CAROLINA JOHN CORNYN, TEXAS MICHAEL S. LEE, UTAH TED CRUZ, TEXAS JEFF FLAKE, ARIZONA

t1nitrd ~tatrs ~rnatr

COMMITTEE ON THE JUDICIARY DC 20510-6275 WASHINGTON,

KRISTINE KOlAN

J.

LUCIUS,

L. DAVIS,

RITA LARI

A. COHEN, Staff Director Chief Counsel and Deputy Staff Director Republican Chief Counsel and Staff Director JOCHUM, Republican Deputy Staff Director BRUCE

March 13,2013 Mr. Will Smith, CEO Euclid, Inc. 1027B Alma Street Palo Alto, CA 94301 Dear Mr. Smith: I am writing to request information about Euclid, Inc.' s use of consumer tracking technology. As I understand it, your company's technology can track consumers as they walk past a store, enter a store, or move between its floors by tracking a permanent and unique hardware number transmitted by those consumers' smartphones. This tracking occurs on an optout basis: unless someone visits your website and enters her information, Euclid's technology will track her. Recent news reports suggest that Euclid's technology has tracked 50 million unique smartphones or other WiFi-enabled devices. All of this would suggest that the movements of millions of Americans have been tracked in your clients' stores without those consumers' permission. I find this troubling. It's clear that your company has taken concrete steps to protect consumers' privacy, such as "hashing" the unique identifiers you collect from consumers' smartphones and only disclosing aggregate consumer data to your clients. I applaud these efforts. At the same time, I think that Americans have a fundamental right to not be tracked without their consent - especially in the real, "offline" world where they are less likely to expect it. I also have serious concerns about how Euclid will use, share, and protect the data that it collects from users in this manner. I request that you provide answers to the following questions by April 1, 2013. 1. Exactly how many unique smartphones has Euclid tracked in its clients' stores? 2. In what cities and states does Euclid track consumers' smartphones? 3. Does Euclid track people's smartphones when they enter a store but don't buy anything? 4. Does Euclid track people's smartphones when they walk past a store without entering it? 5. Does Euclid track a particular individual smartphone owners as they visit or walk past different stores? 6. Euclid's online Privacy Statement says that its technology would enable it to tell a client whether "more people usually tend to grab a coffee or an ice cream after going to the dentist[.]" I understand that Euclid's technology is not being used in any medical

facilities or pharmacies. Is that correct? If so, will Euclid pledge that it will never deploy its technology in or near any medical facilities or pharmacies in the future? 7. The Privacy Statement says that Euclid may augment its client reports with "information [Euclid] guesses infers [sic] from user activity, such as whether a device owner is male or female, income bracket, etc." (emphasis added). How exactly could Euclid guess or infer a consumer's gender and income bracket based on her smartphone data? 8. A recent New York Times article said that Euclid's technology is used to calculate "the percentage of people who come into the store who leave without making a purchase." How does Euclid calculate that percentage based on consumer smartphone data? 9. What mechanisms does Euclid have in place to monitor and identify breaches of consumer data? 10. Has Euclid's consumer data ever been breached? 11. The Privacy Statement says that Euclid's data is stored with Amazon Web Services. In January 2012, Zappos, an Amazon-owned company, suffered a breach that compromised the names, shipping and billing addresses, phone numbers, and e-mail addresses of over 24 million customer accounts. Has Euclid taken additional precautions since this breach? 12. If a law enforcement agency or a company told Euclid the MAC address for someone's smartphone and asked what stores the owner of that smartphone had previously walked past or visited, would Euclid be able to answer that question? 13. Will Euclid require law enforcement to obtain a warrant before disclosing a particular consumer's location records? 14. Does Euclid have any plans to sell, rent or disclose any of its consumer data to data brokers or any other third parties? 15. Will Euclid assure users that it will never sell, rent or disclose any of its consumer data to data brokers or any other third parties? 16. Will Euclid move to an "opt-in" model where a unique person is only tracked if she agrees to that tracking? If not, why not? Thank you for your time and prompt attention to my inquiries. Sincerely,

/11)7.~ / GU J!U/[/f/( tU/\...-Al Franken U.S. Senator