How three small credit card transactions could reveal your identity

A new study suggests anonymous data sets aren't very anonymous after all

Just three small clues - receipts for a pizza, a coffee and a pair of jeans - are enough information to identify a person's credit card transactions from among those of a million people, according to a new study.

The findings, published in the journal Science, add to other research showing that seemingly anonymous data sets may not protect people's privacy under rigorous analysis.

"The fact that a few data points are enough to uniquely identify an individual was true in credit card metadata," said Yves-Alexandre de Montjoye, an MIT graduate student and one of the study's authors.

Montjoye and his colleagues analyzed credit card transactions provided by an unnamed major bank from 1.1 million people over a three-month period in some 10,000 stores.

They were trying to see how much data they needed to identify a person's transactions from a larger set of transaction records. Absent from the data were names, addresses, email addresses and other personal information.

Ninety percent of the time, the researchers could pick out an individual using just four pieces of data, such the locations where four purchases were made. Adding price information -- for example, purchase receipts -- allowed them to identify a person with just three transactions.

They could also identify individuals from "one receipt, one Instagram photo of you having coffee with friends, and one tweet about the phone you just bought," they said.

"The fundamental scientific question is one of our human behaviour," de Montjoye said. "It's really how our behavior compares with that of others and eventually makes us unique and identifiable."

The researchers didn't try to actually identify particular individuals, but instead to figure out on average how much data would be needed to narrow transactions down to a person.

"We did not try to find a specific person on purpose," he said.

The latest research adds to a 2013 study de Montjoye co-authored that showed that four data points, such as place and time, were enough to identify a person from a mass of mobile phone records 95 percent of the time.

The research highlights the regulatory and policy challenges around anonymity, de Montjoye said. Legally, society relies on a definition of anonymity -- such as removing names and email addresses from records -- that is widely believed to provide protection.

"What our study shows is that this is not enough to prevent identification," he said.

The other way to define anonymity, endorsed by the European Union, is that data must be "provably" anonymous, and make it impossible to identify an individual under any circumstances.

Verifying that condition is difficult, de Montjoye said. In addition, scrambling the data too much may prevent novel and legitimate uses, such as studying consumption patterns or inflation. But people should be aware of the potential risks of identification.

"I don't think it's ever going to be 100 percent safe, but there are steps that can be taken," he said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the PC World newsletter!

Error: Please check your email address.

Tags securityMassachusetts Institute of Technologyprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?