A total of three key documents – checks for pizza, coffee and a pair of jeans – provided sufficient information in order to distinguish a transaction credit card belonging to a particular person from operations millions of others.
The results of research carried out at the Massachusetts Institute of Technology and published in the journal Science, along with other works demonstrate that in the case of a careful analysis of the data sets, which seem at first glance anonymous, actually can not provide complete privacy. “If we talk about the metadata of credit cards, even a very small amount of information is sufficient to uniquely identify a person,” – said one of the study’s authors, Yves-Alexandre de Montjoie.
Together with his colleagues analyzed the transaction Montjoie credit card issued by one of the major banks. Within three months, 1.1 million bank customers made purchases of 10 thousand. Shops.
Researchers have tried to figure out how much data they need to select the transaction of any one particular person from the crowd. In this case, the data did not have any names, addresses, e-mail and other personal information.
In 90% of cases, the researchers were able to name the buyer, guided by information about the place of the commission of four purchases. Adding to them pricing information – such as sales receipts – allowed the identification of a person for only three transactions.
A placement in Instagram photos in which you drink coffee with friends, or tweet about just bought the phone provides identification of even one check.
“From a scientific point of view, the main task here is to analyze the behavior – said Montjoie. – Comparison of the actions of a single person with the behavior of other people end up unambiguously identify it. “
The researchers did not attempt to identify any particular person, and determined how much data is needed on average to narrow the range of transactions to a single buyer.
“We did not set a goal to find a particular person,” – said Montjoie.
Recent studies complement the work carried out Montjoie in 2013 and showed that the four sets of data, including information about the place and time, in 95% of cases it is sufficient to highlight the cell phone calls of a single person from the mass of other calls.
Studies have shown inconsistency rules of anonymity dictated by regulatory authorities today. It is believed that the removal of these personal data (such as names, addresses and e-mail) gives people protection of confidentiality, but in fact it is not.
“Our study shows that this is not enough to prevent identification,” – said Montjoie.
In another definition of the anonymity offered by the European Union, requires the impossibility of identifying the person under any circumstances.
“To ensure compliance with this condition is very difficult – admits Montjoie. – In addition, excessive data cleaning can prevent their useful, for example, to study the habits of consumers or estimates of inflation. People should be aware of the potential risk identification. I do not think that someday we will be able to protect yourself 100%, but this should strive. “
Read another very interesting article about alternative energy of the Sun, water and air.