Shopping isnt Anonymous anymore : shopping metadata reveals your identity
A team of security researcher has shown that it’s possible to identify the owner of a credit card from among millions of “anonymized” transactions by knowing just a handful of that person’s purchases. They have showed the credit card owner can identified with more than 90 percent accuracy by looking at just four purchases, three if the price is included.
Yves-Alexandre de Montjoye, a computer-security researcher at the Massachusetts Institute of Technology (MIT) in Cambridge, and his colleagues managed to identify one individual from a sea of ‘anonymized’ credit-card data. Their research, published on 29 January in Science, analysed credit-card transaction information, or ‘metadata’, from 1.1 million shoppers in countries that are members of the Organisation for Economic Co-operation and Development (OECD).
de Montjoye explains that databases of credit card records, even stripped of personal information like card number, name and address, contain more than enough information to “re-identify” individuals.
“We are showing that the privacy we are told that we have isn’t real,” study co-author Alex “Sandy” Pentland of MIT said in an email.
The personal data get anonymized when they share information with the outsiders, saying the data is now safe. But the researches showed that anonymized isn’t quite the same as anonymous.
Such databases are used by stores and cities to track commercial activity. de Montjoye showed that patterns emerge even when only the location and time of purchases are available. In 90 percent of cases, it only took four known data points to tie an “anonymous” card to a real person — and sometimes less.
For instance just take an example, if you know John went to the shopping mall on Wednesday and gassed up his car Thursday, then compare that to the anonymous records, you may find that only one card made purchases in those order. That means its John’s card and now you can look up all the rest of his purchases.
Eugene Spafford, director of Purdue University’s Center for Education and Research in Information Assurance and Security said that “we think we have privacy when our data is collected, it’s really just an “illusion,”. He further added that it makes “one wonder what our expectation of privacy should be anymore.”
An outsider expert Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University said “It is not surprising to those of us who spend our time doing privacy research, But I expect it would be surprising to most people, including companies who may be routinely releasing de-identified transaction data, thinking it is safe to do so.”
“While government surveillance has been getting a lot of press, and certainly the revelations warrant such scrutiny, a large number of corporations have been quietly expanding their use of data,” said privacy consultant and author Rebecca Herold. Studies like this show “how metadata can be used to pinpoint specific individuals. This also raises the question of how such data would be used within insurance actuarial calculations, insurance claims and adjustments, loan and mortgage application considerations, divorce proceedings.”
You can read Yves-Alexandre de Montjoye and his team’s full research thesis here