MIAMI, United States — Just four bits of information gleaned from a shopper’s credit card can be used to identify almost anyone, suggesting that even anonymous big data sets can breach individual privacy, researchers said Thursday.
The study in the journal Science crunched three months of credit card records for 1.1 million people in an unidentified industrialized country.
Ninety percent of individuals could be uniquely identified using just four pieces of information, such as where they bought coffee one day, or where they purchased a new sweater or pair of shoes.
In other words, credit cards use was just as reliable at identifying someone as mobile phone records, the study said.
Knowing the price of a transaction could boost the risk of re-identification by 22 percent.
“Even data sets that provide coarse information at any or all of the dimensions provide little anonymity,” said the study led by Yves-Alexandre de Montjoye at the Massachusetts Institute of Technology (MIT) and colleagues at Aarhus University in Denmark.
Even if some of the specifics were stripped from credit card data, such as noting the general area where a purchase was made instead of the specific shop, or expanding the time range to 15 days instead of one, a person who would have believed themselves anonymous could be re-identified with “just a few more additional data points,” said the study.
“Women are more re-identifiable than men in credit card metadata,” it added.
People with higher incomes were also easier to identify, perhaps because they “have distinctive patterns in how they divide their time between the shops they visit,” added the study.
The researchers called for more advanced technologies to protect data that is simply made anonymous.