A study recently published by scientists at Massachusetts Institute of Technology (MIT) has challenged the belief that credit card data is anonymous after examining just three months of credit card records for 1.1 million people.
“We are showing that the privacy we are told that we have isn’t real,” said Alex “Sandy” Pentland, study co-author from MIT in an email regarding the new study.
According to Pentland, the research proves that it only takes a small bit of outside information to identify one certain individual out of the thousands of financial transactions examined during the study. While companies claim to “anonymize” the consumer’s credit card data upon entry by removing personal identifiers, Pentland’s study shows how anonymized and anonymous are mutually exclusive terms.
In order to perform the study, the researchers looked at information from 10,000 stores in an unidentified developed country. Lead author of the credit card data security study Yves-Alexandre de Montjoye, also with MIT, said that the team would keep each data piece time-stamped so that they could learn the average of how long it took to identify someone. In precisely 90 percent of cases, it only took four pieces of data or less to relink the purchase to the consumer. In most cases if price was included in the data piece, the scientists needed only three pieces; without, just four.
Montjoye claimed that patterns occur even when just the location and times of purchase are accessible, making it simpler to track down and “re-identify” the individual who made the purchase. Montjoye also mentioned that women and people with higher incomes were easier to identify; however, the study could not conclude why.
“Sandy and I do really believe that this data has great potential and should be used,” de Montjoye said in a press release regarding the study. “We, however, need to be aware and account for the risks of re-identification.”
Eugene Spafford, director of Purdue University’s Center for Education and Research in Information Assurance and Security, said the research confirms that what most people in society believe about credit card data privacy is an “illusion.” Despite being disassociated with the study itself, Spafford said it makes “one wonder what our expectation of privacy should be anymore.”