Anonymized credit card data – only locations and times of purchases made – are enough to identify a person, a new MIT study shows. Shopping habits are so unique, that knowledge of only four transactions help tell who the buyer is.
Three months of credit card transactions carried out by 1.1 million people in 10,000 shops in one country were studied by the Massachusetts Institute of Technology team, which made the results public in a January 30 issue of Science journal.
The name of the country is not specified, it’s only designated as an Organization for Economic Co-operation and Development (OECD) country. The source of the data is only mentioned as a “major bank.”
The scientists dealt with anonymized data, which did not contain neither names nor account numbers. Only metadata was left available – the time and place of a purchase.
To identify a particular person in the bulk of financial metadata, one only needs “four pieces of outside information about a user,” the study revealed. Those four pieces could be a person’s four non-anonymous purchases. One’s social media activity is one source of this type of information.
“For example, let’s say that we are searching for Scott in a simply anonymized credit card data set,” the research says. “We know two points about Scott: he went to the bakery on 23 September and to the restaurant on 24 September. Searching through the data set reveals that there is one and only one person in the entire data set who went to these two places on these two days.”
Knowing the price of a purchase makes identification process quicker and simpler.
Special issue: Does the era of big data mean the end privacy? http://t.co/ItLK2ERo6V
— Science Magazine (@sciencemagazine) January 29, 2015
“We are showing that the privacy we are told that we have isn’t real,” study co-author Alex ‘Sandy’ Pentland of MIT told AP.
Among the things the scientists came across in their research was that women were easier to identify then men, and that the higher income one had the more vulnerable he or she was to exposure. The study authors chose not to focus on the reasons behind these factors.
The research makes our expectations of privacy no more than an “illusion,” Eugene Spafford, director of Purdue University’s Center for Education and Research in Information Assurance and Security.
“In light of the results, data custodians should carefully limit access to data,” said Arvind Narayanan, a computer scientist at Princeton University, Science reported.
Metadata has been placed into spotlight by former NSA contractor Edward Snowden, who disclosed US’s NSA collected records of times and locations of phone-calls and emails of millions of Americans.
“While government surveillance has been getting a lot of press, and certainly the revelations warrant such scrutiny, a large number of corporations have been quietly expanding their use of data,” privacy consultant and author Rebecca Herold told AP.
Studies like this show “how metadata can be used to pinpoint specific individuals,” she added, and offered to look into other spheres in which basic information could potentially appear too revealing, like insurance, loan and mortgage applications, divorce proceedings.