How three small credit card transactions could reveal your identity

A new study suggests anonymous data sets aren't very anonymous after all

Just three small clues - receipts for a pizza, a coffee and a pair of jeans - are enough information to identify a person's credit card transactions from among those of a million people, according to a new study.

The findings, published in the journal Science, add to other research showing that seemingly anonymous data sets may not protect people's privacy under rigorous analysis.

"The fact that a few data points are enough to uniquely identify an individual was true in credit card metadata," said Yves-Alexandre de Montjoye, an MIT graduate student and one of the study's authors.

Montjoye and his colleagues analyzed credit card transactions provided by an unnamed major bank from 1.1 million people over a three-month period in some 10,000 stores.

They were trying to see how much data they needed to identify a person's transactions from a larger set of transaction records. Absent from the data were names, addresses, email addresses and other personal information.

Ninety percent of the time, the researchers could pick out an individual using just four pieces of data, such the locations where four purchases were made. Adding price information -- for example, purchase receipts -- allowed them to identify a person with just three transactions.

They could also identify individuals from "one receipt, one Instagram photo of you having coffee with friends, and one tweet about the phone you just bought," they said.

"The fundamental scientific question is one of our human behaviour," de Montjoye said. "It's really how our behavior compares with that of others and eventually makes us unique and identifiable."

The researchers didn't try to actually identify particular individuals, but instead to figure out on average how much data would be needed to narrow transactions down to a person.

"We did not try to find a specific person on purpose," he said.

The latest research adds to a 2013 study de Montjoye co-authored that showed that four data points, such as place and time, were enough to identify a person from a mass of mobile phone records 95 percent of the time.

The research highlights the regulatory and policy challenges around anonymity, de Montjoye said. Legally, society relies on a definition of anonymity -- such as removing names and email addresses from records -- that is widely believed to provide protection.

"What our study shows is that this is not enough to prevent identification," he said.

The other way to define anonymity, endorsed by the European Union, is that data must be "provably" anonymous, and make it impossible to identify an individual under any circumstances.

Verifying that condition is difficult, de Montjoye said. In addition, scrambling the data too much may prevent novel and legitimate uses, such as studying consumption patterns or inflation. But people should be aware of the potential risks of identification.

"I don't think it's ever going to be 100 percent safe, but there are steps that can be taken," he said.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securityMassachusetts Institute of Technologyprivacy

More about MIT

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place