LDprod / Shutterstock.com

Your Credit Card Record Is Not So Anonymous, New Study Reveals

It takes just four pieces of information about what you did, where you went, or what you bought on a particular day to give someone a 90 percent chance of matching your anonymised credit card record to your identity.

BEC CREW
30 JAN 2015
 

I don’t want to alarm you, but your metadata is showing, and can lead people straight to your credit card details. Scientists have found that 90 percent of the time, they need just four pieces of outside information on you - for example, what store you shopped at on a given day, what you bought, how much an item cost - to match an anonymised credit card record to your identity. 

 

The team, led by computer scientist Yves-Alexandre de Montjoye at the Massachusetts Institute of Technology (MIT) in the US, analysed three months of credit card records belonging to 1.1 million people. The records had been stripped of any personal information, including names and account numbers, which is what companies routinely do when they sell data about you and your purchases to other companies.

The team then gathered information from 10,000 shops, and information readily available about individuals online, such as their tweets, Instagram photos, and Facebook updates. Think about how many times you’ve Instagrammed yourself eating at a particular restaurant, tweeted that you’re drinking at a particular bar, or snapped yourself at an art gallery and updated your Facebook feed. 

Using this kind of information, the team wanted to figure out how many individual pieces of information about what a person has done on a particular day were needed to match them and their credit card details. Four turned out to be the magic number, which allowed the team to successfully match a person with an anonymised credit card record 90 percent of the time. They only needed three pieces of outside information if one of those was the price of the item purchased.

"Those four clues didn't have to include anything about what had been bought, although a guess at the approximate price of the transaction did sharpen their accuracy,” Aviva Rutkin reports for New Scientist. "Women and people with higher incomes were even easier to spot, perhaps because these groups had more diverse behaviour, making individuals distinct from their peers.”

Heres an example, from The Associated Press:

“The researchers wrote about looking at data from September 23 and 24 and who went to a bakery one day and a restaurant the other. Searching through the data set, they found there could be only person who fits the bill - they called him Scott. The study said, "and we now know all of his other transactions, such as the fact that he went shopping for shoes and groceries on 23 September, and how much he spent."

The team published their findings today in the journal Science.

The results complement previous experiments performed by de Montjoye's team in 2013, when they were able to match people with their anonymous phone records at a success rate of 95 percent. 

"We're building this body of evidence showing how hard it actually is to anonymise large sets of data like credit cards, mobile phones, and browsing information," de Montjoye told Aviva Rutkin at New Scientist. "We really need to think about what it means to make data truly anonymous and whether it's even possible.”

Big data is now one of the most valuable commodities in the world, and companies are scrambling to get their share of personal information about consumers, whether they collect it themselves, or buy it from someone else who does. What you buy online, what you search for, what you email your friends about, and what links you click on - it’s all worth something, and not just to the advertisers and marketing agencies who pay for it.

So, what's the solution? William Herkewitz from Popular Mechanics spoke to privacy policy expert Paul Schwartz, from the University of California, Berkeley in the US, who says he hopes research like this will convince governments around the world to update their laws surrounding what's known as 'personally identifiable information', or PII. PII governs how, when, and why your personal information is shared with companies or made publicly available, and the only way to do this safely is knowing how it can be misused.

I, for one, am just glad there's another reason for everyone to stop Instagramming their fancy desserts and Acne bags. And I don't need to tell you how dangerous selfies are, right?

Sources: The Associated Press, New Scientist, Popular Mechanics

More From ScienceAlert

World's first AI citizen in Saudi Arabia is now calling for women's rights
12 hours ago
Here's the science on whether skinny teas actually boost weight loss
10 hours ago