ECONOMY

It Takes Just a Few Purchases to Figure Out Who You Are

Group of business people hiding their faces behind a question mark sign at office

“We respect your privacy.”

“Any information you provide will be held in strict confidence.”

“All of your information and responses will remain anonymous.”

Whether you are asked to respond to personal questions through a poll on the Internet, on a form in the doctor’s office or via government questionnaire in the mailbox, we’re all used to hearing these kinds of reassuring words. “We know you’re worried about privacy and data theft. We hear your concerns — but don’t worry. We’re looking out for you!”

Problem is, the road to hell is said to be paved with such best intentions — and the road to your loss of privacy may be as well.

Big Brother Is Watching You — and Knows Exactly Who You Are

That’s the disturbing conclusion of new research just out of MIT. As reported in the Jan. 30 issue of the journal Science, researchers at MIT have established that they can identify 90 percent of supposedly anonymous shoppers if provided a record of 1.1 million credit card users’ purchase histories over a three-month period and the locations and dates of four purchases made by an individual within that time span.

What’s more, if provided data on the dollar value of the purchases, the researchers demonstrated that just three location/date pairings were enough to figure out who made the purchases — for 94 percent of shoppers. Upping the data points to five, and including purchase amounts, allowed researchers to identify “almost everyone” on the list.

What’s more, accomplishing this feat didn’t require the MIT analysts to possess any of the things we ordinarily worry about being stolen in incidents of data theft — your name, address, Social Security number or credit card number, for example. Rather, researchers were able to accomplish their mission using such tools as:

  • A copy of a store purchase receipt.
  • A dated Instagram photo picturing you having coffee at a coffee shop.
  • A Tweet describing a purchase you just made.

These tools alone suffice to narrow down a field of 1.1 million credit card transactions and identify your individual credit card records.

Big Brother Doesn’t Mean Any Harm — He Just Can’t Help Himself

Nervous yet? But we haven’t even gotten to the good part! MIT researchers, by and large, aren’t interested in stealing your personally identifiable data, or your identity. Rather, the purpose of this study was to find a way to “vague up” large amounts of raw data in a manner permitting researchers to extract economically useful patterns such as “the relationship of, say, inflation or consumer spending to other economic factors” — but in a way that preserved shoppers’ privacy, leaving them individually unidentifiable.

But it turned out that this was harder than it sounded. The researchers tried “coarsening” the data contained in the 1.1 million purchase records, “intentionally making it less precise.” To do this, for example, they might take a purchase of a $5 cup of coffee at Starbucks on Jan. 1, and report it as a purchase of something … for a price of between $2.50 and $7.50 … at one of 150 stores-of-which-Starbucks-was-only-one … at some time between Jan. 1 and Jan. 7.

Given such data on four purchases, they still were able to figure out who bought the coffee 70 percent of the time, even if they didn’t necessarily want to.

Now imagine what happens once someone who does want to track you down figures out this trick. Privacy, as we once knew it, might just be dead.

Leave a Reply

Your email address will not be published. Required fields are marked *