'Anonymized' Credit Card Data Not So Anonymous, MIT Study Shows

schwit1 writes Scientists showed they can identify you with more than 90 percent accuracy by looking at just four purchases, three if the price is included — and this is after companies "anonymized" the transaction records, saying they wiped away names and other personal details. The study out of MIT, published Thursday in the journal Science, examined three months of credit card records for 1.1 million people. "We are showing that the privacy we are told that we have isn't real," study co-author Alex "Sandy" Pentland of the Massachusetts Institute of Technology, said in an email.

Re:Study

http://www.sciencemag.org/content/347/6221/468.full?intcmp=collection-privacy

The published article the clickbait was based on has much better information. For instance: the transactions for a person all still shared a unique ID#. "All that remained were the metadata: amounts spent, shop type—restaurant, gym, or grocery store, for example—and a code representing each person."

If you don't cycle the code per person regularly of course correlation attacks will always work.

Re:Why even 3?

[Not_Wiggins]

The article is misleading. It talks about how it can be used to "identify someone." And with all the talk about privacy, it implies the identification of an individual.

But, reading through it closely, they aren't talking about identifying a specific someone; the information isn't enough to say Not_Wiggins made these purchases.
Instead, it focuses on identifying characteristics of purchasers and then extending it to see what other behavior purchasers in those groups would make.

In the article example, they talked about someone making a purchase at both a bakery and a restaurant within a short time period. Finding that they had one such instance, named him Scott, then looked to see what other behaviors "Scott" had. By extending that logic, they are saying "look at the group of people who typically shop at a bakery and a restaurant... then you know those people are typically also interested in shoes."

The example is a bit silly, but that's what they're saying.

They're talking about documenting patterns of behavior on purchasing decisions.
This article really isn't about loss of anonymity. It is about using anonymized credit card transactions to develop definitions of "user groups" and predicting their shared behavior pattern.

To me, it seems more like the equivalent of last.fm... tell us what music you like, we'll compare it against what others who also have the same "likes" have said, and give you options for things that might fit your tastes.

In this instance, it is: tell us what purchases you've made, we'll compare it against similar purchases that others have made, and we can predict what other purchases you might want/like that you haven't made yet.