Yves-Alexandre de Montjoye, a computer-security researcher at the Massachusetts Institute of Technology (MIT) in Cambridge, and his colleagues managed to identify one individual from a sea of ‘anonymized’ credit-card data. Their research, published on 29 January in Science, analysed credit-card transaction information, or ‘metadata’, from 1.1 million shoppers in countries that are members of the Organisation for Economic Co-operation and Development (OECD). de Montjoye explains that databases of credit card records, even stripped of personal information like card number, name and address, contain more than enough information to “re-identify” individuals. “We are showing that the privacy we are told that we have isn’t real,” study co-author Alex “Sandy” Pentland of MIT said in an email. The personal data get anonymized when they share information with the outsiders, saying the data is now safe. But the researches showed that anonymized isn’t quite the same as anonymous. Such databases are used by stores and cities to track commercial activity. de Montjoye showed that patterns emerge even when only the location and time of purchases are available. In 90 percent of cases, it only took four known data points to tie an “anonymous” card to a real person — and sometimes less. For instance just take an example, if you know John went to the shopping mall on Wednesday and gassed up his car Thursday, then compare that to the anonymous records, you may find that only one card made purchases in those order. That means its John’s card and now you can look up all the rest of his purchases. Eugene Spafford, director of Purdue University’s Center for Education and Research in Information Assurance and Security said that “we think we have privacy when our data is collected, it’s really just an “illusion,”. He further added that it makes “one wonder what our expectation of privacy should be anymore.” An outsider expert Lorrie Faith Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University said “It is not surprising to those of us who spend our time doing privacy research, But I expect it would be surprising to most people, including companies who may be routinely releasing de-identified transaction data, thinking it is safe to do so.” You can read Yves-Alexandre de Montjoye and his team’s full research thesis here
