Slashdot Mirror
'Anonymized' Credit Card Data Not So Anonymous, MIT Study Shows
schwit1 writes Scientists showed they can identify you with more than 90 percent accuracy by looking at just four purchases, three if the price is included — and this is after companies "anonymized" the transaction records, saying they wiped away names and other personal details. The study out of MIT, published Thursday in the journal Science, examined three months of credit card records for 1.1 million people. "We are showing that the privacy we are told that we have isn't real," study co-author Alex "Sandy" Pentland of the Massachusetts Institute of Technology, said in an email.
http://www.sciencemag.org/content/347/6221/468.full?intcmp=collection-privacy
The published article the clickbait was based on has much better information. For instance: the transactions for a person all still shared a unique ID#. "All that remained were the metadata: amounts spent, shop type—restaurant, gym, or grocery store, for example—and a code representing each person."
If you don't cycle the code per person regularly of course correlation attacks will always work.
As one who got tired of high fees, I dropped the use of credit/debit cards.
What? Debit cards don't have fees. Credit cards are usually available with no fee, or with benefits (such as airline miles) that more than compensate for the fee. There may be good reasons to not use credit/debit cards, but "high fees" is not one of them.
The article is misleading. It talks about how it can be used to "identify someone." And with all the talk about privacy, it implies the identification of an individual.
But, reading through it closely, they aren't talking about identifying a specific someone; the information isn't enough to say Not_Wiggins made these purchases.
Instead, it focuses on identifying characteristics of purchasers and then extending it to see what other behavior purchasers in those groups would make.
In the article example, they talked about someone making a purchase at both a bakery and a restaurant within a short time period. Finding that they had one such instance, named him Scott, then looked to see what other behaviors "Scott" had. By extending that logic, they are saying "look at the group of people who typically shop at a bakery and a restaurant... then you know those people are typically also interested in shoes."
The example is a bit silly, but that's what they're saying.
They're talking about documenting patterns of behavior on purchasing decisions.
This article really isn't about loss of anonymity. It is about using anonymized credit card transactions to develop definitions of "user groups" and predicting their shared behavior pattern.
To me, it seems more like the equivalent of last.fm... tell us what music you like, we'll compare it against what others who also have the same "likes" have said, and give you options for things that might fit your tastes.
In this instance, it is: tell us what purchases you've made, we'll compare it against similar purchases that others have made, and we can predict what other purchases you might want/like that you haven't made yet.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
And this only works if you have a lot of other data in your data set. If you don't know who Scot is, then you can't figure out he's the only person who could go to the bakery on that one exact day and that particular restaurant the next.
I don't think anyone is particularly sanguine about the future of privacy if big companies manage to figure out a way to profit from combining their multiple massive databases. This is particularly true in the US, where it would be virtually impossible to stop the police from using said databases with our warrants. Or worse, using info that the big companies forwarded them as the basis for warrants.
If Apple or Google can silence one of it's critics by figuring out he was paying a hooker with his supposedly anonymous Mastercard gift card, that is a really fucking bad thing.