Should we boycott John Lewis?

April 6th, 2013 at 13:58 UTC by Ross Anderson

Last weekend, my wife and I were in Milton Keynes where we bought a cradle as a present for our new granddaughter. They had only the demo model in the shop, but sold us one to pick up from their store in Cambridge. So yesterday I went into John Lewis with the receipt, to be told by the official that as I couldn’t show the card with which the purchase was made, they needed photo-id. I told him that along with over a million others I’d resisted the previous government’s ID card proposals, the last government had lost the election, and I didn’t carry ID on principle. The response was the usual nonsense: that I should have read the terms and conditions (but when I studied the receipt later it said nothing about ID) and that he was just doing his job (but John Lewis prides itself on being employee-owned, so in theory at least he is a partner in the firm). I won’t be shopping there again anytime soon.

We get harassed more and more by security theatre, by snooping and by bullying. What’s the best way to push back? Why can businesses be so pointlessly annoying?

Perhaps John Lewis are consciously pro-Labour given their history as a co-op; but it’s not prudent to advertise that in a three-way marginal like Cambridge, let alone in the leafy southern suburbs where they make most of their money. Or perhaps it’s just incompetence. When my wife phoned later to complain, the customer services people apologised and said we should have been told when we bought the thing that we’d need to show ID. She offered to post the cradle to our daughter, but then rung back later to say they’d lost the order and would need our paperwork. So that’s another 30-mile round-trip to their depot. But if they’re incompetent, why should I trust them enough to buy their food?

I invite the chairman, Charlie Mayfield, to explain by means of a follow-up to this post whether this was policy or cockup. Will he continue to demand photo-id even from customers who have a principled objection? Will he tell us who in the firm imposed this policy, and show us the training material that was prepared to ensure that counter staff would explain it properly to customers?

Entry filed under: Authentication, Legal issues, News coverage, Politics, Security economics, Security psychology

23 comments Add your own

  • 1. fatbloke  |  April 6th, 2013 at 15:56 UTC

    “Perhaps John Lewis are consciously pro-Labour given their history as a co-op; but it’s not prudent to advertise that in a three-way marginal like Cambridge, let alone in the leafy southern suburbs where they make most of their money”

    Ah, so another partisan blog posting eh, Ross? It’s only news worthy from a security perspective because of the potential political affiliations of the business?

  • 2. Cyber_says  |  April 6th, 2013 at 17:05 UTC

    I can understand you being upset by poor customer service, Ross – and this certainly sounds to be poor. BUT why do you try and make this some sort of security (or security theatre) issue? And why the need to try and drag in the political allegiance or history – really grasping there.

    Obviously not enough ‘theatre’ for you to rant about in the banking world at the moment!

  • 3. Thomas  |  April 6th, 2013 at 18:00 UTC

    Huh. I don’t think I needed any ID when I picked up an online order from John Lewis last year – just the printout from the website with the details.

    I’m not sure I would have even had any suitable ID with me (unless I’d dug out my passport) as at the time I hadn’t yet applied for a driving license and so the only things in my pocket with my photo would have been my railcard and my bus season ticket.

  • 4. ffs  |  April 6th, 2013 at 18:05 UTC

    Err, no.

    If they had wanted to photocopy and retain your photoid then I could see your point but just asking for some confirmation that it’s your cot isn’t really something worth whinging about, even if it is an ineffective approach.

    Suggest next time you reserve it on the phone and pay on collection instead of harassing poor shop assistants.

  • 5. Ross Anderson  |  April 6th, 2013 at 18:56 UTC

    Tom, I’m not partisan; I was happy to help Labour get elected in 96–7 when you promised not to introduce key escrow, and I was later happy to help a Lib Dem charity produce the Database State report in 2009. And given this sort of thing I may be less keen on them come the next election. At FIPR we’ve always reckoned our enemy is stupidity rather than the government of the day; it’s not our fault if they’re correlated.

    The security relevance is clear. If even a shop that’s thought to be well-run can’t get a basic shopping protocol right, what’s going on? Most security failures are down to soft factors like usability and incentives. How institutions get usability wrong – from banks to stores to utilities to Microsoft – is a big deal.

  • 6. Shaun McDonald  |  April 7th, 2013 at 08:07 UTC

    It’s now standard practice that when you go to pick up a parcel, letter or delivery of some description that you’ll have to show some photo identification to verify that it is you. Yeah someone could use some stolen Igor forge it, however it would hopefully stop some random person turning up and claiming to be you, such as if you were to accidentally drop the order form.

  • 7. Ross Anderson  |  April 7th, 2013 at 08:45 UTC

    I don’t agree. The last time I went to fetch an undelivered parcel, the card that had been shoved through the door was all that was needed. No doubt some firms make clear on the notice that the recipient must bring a passport or drivers’ licence, but then there are three serious problems. First, some 15–20% of the UK population do not possess government-issue photo id; they’re typically older working-class women who don’t drive and have not travelled abroad. Second, people are no good at comparing persons with photographs. Third, the person collecting the parcel will often have a different name. So it’s really just security theatre.

  • 8. Nick  |  April 7th, 2013 at 08:53 UTC

    Possibly what’s missing is protocol negotiation. When a company buys something from another company, it very often happens that both insist the transaction is taking place under their own terms and conditions (usually mutually incompatible in some way) and only if something goes wrong do they discover that they never agreed whose conditions applied.

  • 9. Mark  |  April 7th, 2013 at 09:54 UTC

    A receipt is a proof of purchase and a token. It doesn’t seem unreasonable that anyone holding the receipt can redeem the token by collecting the purchase. The buyer should be warned that if they lose the receipt its equivalent to losing their cash or product. It’s perfectly reasonable for the buyer to delegate the act of collecting the product to a family member or friend who would never have the required ID.

    So I agree, there’s no reasons for JL to demand ID. If they really want to restrict collection to the user then the technology exists to photograph the buyer (who is already on CCTV), and print the photo on the receipt. However no doubt buyers would object to such a pointless process. It shouldn’t be necessary to prove my identity to complete such a basic transaction.

  • 10. Ross Anderson  |  April 7th, 2013 at 10:22 UTC

    Nick, you’re right, and if the “battle of the forms” shows how hard that is for large capable businesses that ought to pay attention (and are presumed by the courts to have done so), how can it work at the retail level?

    The individual in a typical country is faced with 1–6 big players in each sector, and within a country you see herding behaviour. A previous case history of this is in the mid-1990s when firms introduced tills that calculated change for customers. In France, Hong Kong and the USA, staff kept on handing you your coins and your banknotes separately, while in the UK some shops started putting your receipt in your hand covered by your banknotes and putting the coins on top of that. This means that a male customer has to take an extra three seconds to put the coins in his pants pocket and the banknotes in his wallet, while meantime the next customer is breathing down your neck. We’re all used to this minor hassle now, but at the time I was curious as to how firms took such decisions. As luck would have it, some directors of M&S came by to talk about point-of-sale tech so I asked them; they genuinely didn’t know. They had never noticed that their shops in the UK and France were giving change differently. So they did a trial in M&S Cambridge and found, as I’d suggested to them, that male customers preferred to be given our metal change separately. However they could not be bothered to implement it.

    The herding literature shows how small random variations in behaviour sometimes avalanche until whole societies are locked in. It would be annoying if, after many of us went to so much effort to block the planned Napoleonisation of British society, the same result were to come about as a result of shop staff being lazy and careless.

  • 11. FB  |  April 7th, 2013 at 10:53 UTC

    They don’t require photo ID, unless you are unable to produce the relevant payment card.

    If you buy online and use their “click and collect” service, as I have done several times, the confirming email says “… for your protection, your purchase cannot be released without production of your payment card. If you have paid solely by Gift Vouchers, then a driving licence or passport will be required as identification.” (I haven’t tried using my driving licence).

    As you were later told, this should have been explained when you made the initial purchase.

  • 12. Craig Heath  |  April 7th, 2013 at 11:30 UTC

    I can guess at two possible, related reasons for this:

    1) They have experienced fraud with people faking receipts so they have decided that the simplest solution is to ask for an additional form of authentication.

    2) They are using the same mechanism for reservations in-store as they are for reservations online, where the receipt can be easily intercepted (see comment 11).

    Point 1 could be addressed by adding some tamper-detection mechanism to their recipts, but that wouldn’t help address point 2.

    Assuming that hypothesis, I’m not sure that they have made a bad decision, as having different mechanisms for in-store and online would add complexity, and as we know that can be the enemy of security.

    Their main failing would therefore be not clearly advising you of this policy up front.

  • 13. Ross Anderson  |  April 7th, 2013 at 11:51 UTC

    This has another epic fail: if I send my dad gift vouchers and he makes an online purchase, he’s toast. He’s lived in the same house for 40 years so his driving license won’t have a photocard, and he’s not travelled abroad for over a decade.

    So I don’t accept, Craig, that they made a sensible decision. They maybe put the loss aversion of someone in their audit team who dealt with a fake-receipt fraud over the need to think of their business process as a whole. They should have thought of customers who were elderly, or poor, or who find ID cards offensive.

    If the customer experience were owned entirely by the chief operations officer, and she were clueful, she’d not change a procedure without stopping to think how it would affect people from several dozen different customer profiles. If in doubt she’d run it past a focus group, then test it in a few stores first.

    If on the other hand the customer experience is owned by the “partners”, then they’d better be indoctrinated with such rules as “the customer is always right”. If this leads to some petty fraud, then who cares, given their margins?

    Incidentally, under its previous management, nobody in M&S’s sprawling executive bureaucracy actually owned the customer experience. That led the company to a near-death experience, and a new CEO. It now seems to have been fixed. How long will it take John Lewis to realise it is badly managed, without the threat of a hostile takeover? Given that Charlie Mayfield earns 60 times what his “partners” do, I bet they all tell him everything’s wonderful.

  • 14. the other rob  |  April 8th, 2013 at 14:34 UTC

    Ross wrote: “It would be annoying if, after many of us went to so much effort to block the planned Napoleonisation of British society, the same result were to come about as a result of shop staff being lazy and careless.”

    This, to me is a very important issue and one that is not limited to the UK. The big thing in anti-smoking today is “de-normalization”, the idea that harm from smoking will be reduced if doing so is made to seem outre and infra dig, rather than normal and everyday.

    The current trend for retail and other establishments to demand ID is an example of the opposite process, the normalization of a “Papers please” society and should be resisted at every turn.

    This last is why (although I live in the US these days), I steadfastly refuse to produce my drivers license when buying beer or wine in the supermarket. Indeed, in an attempt to get the cashiers to think about such matters, I don’t even tell them my date of birth, but rather ask them to “make one up”.

  • 15. Ian Miller  |  April 9th, 2013 at 10:54 UTC

    You may be short places to shop in Cambridge soon. I may be having the same problem with Next in Sidney Street. I ordered and paid for some bed-linen on Saturday. I have just received an SMS announcing that it is now available for collection. Ominously this includes “please bring alone one form of ID”. There is nothing on the receipt (the only paperwork I have) mentioning requiring Id. I am sure that no mention of it was made when I ordered.

    I will be (trying to) collect tomorrow evening and I shall refuse to produce Id. if asked for it.

  • 16. ffs  |  April 9th, 2013 at 19:01 UTC

    ” I have just received an SMS”. Oh my word, you mean you gave them the number of your tracking device? Why bother resisting showing some basic ID now? I note that they don’t specify photo ID, they just want something to ensure they don’t hand over your goods to any random guy who walks in off the street they’d probably accept the SMS on your phone.

  • 17. Ian Miller  |  April 10th, 2013 at 08:20 UTC

    ffs asked: “Why bother resisting showing some basic ID now?”

    Because there is a world of difference between my choosing to carry a mobile-phone (that I can turn off or leave at home anytime I like), and someone else insisting that I produce Id.

    “they just want something to ensure they don’t hand over your goods to any random guy who walks in off the street”

    That is quite adequately covered by asking me to show the receipt that they gave me when I ordered the goods. Asking for anything else in addition is excessive.

  • 18. ffs  |  April 10th, 2013 at 18:35 UTC

    “That is quite adequately covered by asking me to show the receipt”

    So you pop home and knock up a convincing copy of your receipt on a cheap printer and send your mate in to collect the item. You then turn up the next day with your receipt and kick off.

    Should they put up the price and invest in more sophisticated printers to the detriment of all customers, or ask you to flash some common ID?

  • 19. Ross Anderson  |  April 10th, 2013 at 19:30 UTC

    First, there’s no stable solution to some problems because they’re adversarial. If Cambridge traffic got congested every morning at eight, everyone would drive to work at five to.

    Second, asking for ID doesn’t solve the bogus refund problem as ID doesn’t work. Your bent mate always has ID, and the staff can’t check his face against it better than random matching. ID is not security but security theatre, which in this scenario doesn’t work. It may seem to help the store but it certainly doesn’t help the customer.

    Complex tussles like this are one reason why we have principles. Civilised countries have human rights to stop the police trying to brute-force insoluble problems by stigmatising people. All societies have manners and social norms to stop people being assholes. And when companies adopt policies that make their staff behave like assholes, they are surely doing something wrong.

  • 20. Clive Page  |  April 11th, 2013 at 21:46 UTC

    It does seem fairly common that whey you buy something using a credit card and at a distance, e.g. by phone or on the web, and then you call to physically collect the item, they want you to produce the same card. This seems, in my experience, to be pretty much standard practice for theatres, railway station ticket machines, and airlines, and no doubt many other traders. It seems fairly reasonable. If you don’t have the card, or it has been replaced by a new one, they need a backup procedure of some sort. This is often the case when buying train or airline tickets months in advance.

    The airlines commonly ask for your passport – which for in this case you tend to have with you. Shops like John Lewis also need a backup procedure when the card used to purchase the goods cannot be shown. Asking for photo-id seems to me to be not unreasonable, but of course many of use don’t carry any with us normally (I too have an old-style driving licence without my picture on it). That’s the real criticism of John Lewis (and not alerting you to the need for some photo-id when they issued the receipt).

  • 21. Keith Tayler  |  April 12th, 2013 at 19:24 UTC

    In many areas of applied ethics, especially bioethics, there is quite a spirited rejection of any slippery-slope argument. Obviously they exist in the real world (much of applied ethics and bioethics has little to do with the real world) and this would appear to be an example of a slippery-slope. It is, as other have said above, the repeated application of what might appear to some at first sight to be a very small infringement of a liberty that is the problem. One of the most effective ways of stemming the growth of a dysfunctional technology and society that requires us to identify ourselves to it in order to exist is to resist it, as Ross has, when it is still in the cradle.

  • 22. Jess  |  April 18th, 2013 at 20:09 UTC

    In a similar situation, I have a feeling that I wouldn’t be dealing with this shop again. I would instruct my credit card company that the store was unable to provide the product for which I had paid, and that would be that. Are you allowed to do that in the UK? Maybe this is an out-of-date prejudice borne of the Chip’n'Pin thing, but I had the impression that bank and cc customers had fewer rights in Europe than here in the USA.

  • 23. John  |  May 3rd, 2013 at 06:11 UTC

    This may in fact be a correct protocol from the company perspective. I think you are asked for ID or the relevant plastic for the same reason that EasyJet ask for it at check-in: to make sure there is no secondary market in their products.

    The fault is that they are using ’security’ as an excuse for this protocol. If they came clean about the protocol, we could argue about it properly.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

April 2013
M T W T F S S
« Mar   May »
1234567
891011121314
15161718192021
22232425262728
2930