Basically the same process is in place every time a credit card is used: we present the card – swiping, inserting, tapping or typing in details – then give authorisation for the purchase.

After that, the payment is transmitted between electronic communication centres, and when it is approved we get a receipt of the charge. Details of the transaction are then listed on our credit card statement, as well as on the point-of-sales terminal and other related networks in the form of anonymised “metadata”.

It is this data that we assume leave us anonymous – with the records excluding personal information such as names and addresses. Instead, this metadata records details like the transaction time, purchase amount and store location.

What researchers at MIT have found, however, is that people can be identified from the metadata details of just four purchases. And if the purchase price is part of the detail, only three purchases or other “data points” were needed to figure out who you are.

So here we take a look at the research and the implications it could have for us in the future.

On This Page

Introduction

1. An overview of the MIT credit card metadata study
2. What this study means for credit card privacy
3. What could people do with this information?
4. Can this data be protected?
5. Conclusion: Protecting your privacy

An overview of the MIT credit card metadata study

The study  – published in the journal Science in January 2015 – specifically looked at a data set recording three months of credit-card transactions by 1.1 million users. The results revealed that that having the dates and locations of four purchases gave them a 90% chance of “reidentifying” someone from anonymised data.

The purchase price alone increased the chances of identifying someone by 22%, and people with high incomes, as well as women, had a higher chance of identification (although the researchers are not sure why). What’s more is that when the researchers also considered “coarse-grained” information about the prices of purchases, they found that just three data points were enough to identify an even larger percentage of people in the data set.

“That means that someone with copies of just three of your recent receipts – or one receipt, one Instagram photo of you having coffee with friends, and one tweet about the phone you just bought – would have a 94% chance of extracting your credit card records from those of a million other people,” MIT News explains.

“This is true, the researchers say, even in cases where no one in the data set is identified by name, address, credit card number, or anything else that we typically think of as personal information.”

What this study means for credit card privacy

This study has shattered the assumptions that we have privacy and anonymity when making a purchase. While there is a legal obligation for storage of this data to be removed of personal identifiers, the information about transaction locations, times and values are actually important records for most merchants. After all, they need these records for tax purposes (among other things), and “anonymising” the data has always seemed like the best way to keep everyone happy.

Unfortunately, this MIT study reveals that’s not the case for credit card (or debit card) transactions: it shows that if you know who you are looking for, you can use this data to find out even more about them.

“Let’s say that we are searching for Scott in a simply anonymized credit card data set,” the study hypothesises. “We know two points about Scott: he went to the bakery on 23 September and to the restaurant on 24 September.”

“Searching through the data set reveals that there is one and only one person in the entire data set who went to these two places on these two days…Scott is reidentified, and we now know all of his other transactions, such as the fact that he went shopping for shoes and groceries on 23 September, and how much he spent.”

The fact that it is so simple to figure out these details from so-called “anonymous” data shows that transaction privacy as we know it is an illusion.

What could people do with this information?

There are a lot of reasons people value privacy, and just as many ways for our details to be used. The worst-case scenario for this weakness in current purchase privacy is that someone could get their hands on reams of transaction data, identify you from it and unlock the details of every single transaction you have made within that data set.

Theoretically, that could mean someone is able to get access to anywhere from a few weeks to a few years worth of your transaction data. They could then use this information to create a profile of you for anything from marketing to targeting you as part of a scam.

Say, for example, a criminal was targeting you and had access to this kind of data. They could then call you and pretend to be from a merchant or your bank, citing transactions they know you have made. There are already scams that operate with similar scenarios. NAB, for example, has put out an alert about a scam where fraudsters claim to be from the bank’s security division.

“Fraudsters claiming to be from ‘NAB Security’ are contacting people by phone, saying they have cancelled the customer’s credit card and need their details to send out a replacement card,” the warning says.

But imagine if these fraudsters also knew all of your transactions for the past three months? How would you know it wasn’t legitimate when, for example, they mention the $21.95 you spent on lunch yesterday?

Another way this data could be used is to figure out where you live. By analysing all of the transaction locations and times, it is highly possible that someone could map out your daily habits to get an idea of where you spend time during and after work hours.

But this data could also have less sinister uses. Corporations are already investing millions of dollars in getting our data from online services like search engines and social media hubs. Currently, they’re using this “big data” for more targeted advertising, such as the ads you see on Facebook that somehow seem to relate to things you have written or searched for.

Transaction data would be just another way to make this kind of advertising even more focused. If a company knew that you always bought a coffee from the café down the road on your way to work, for example, it could design a promotion that offers you a discount or a better deal closer to work.

Can this data be protected?

Whether it is a company or criminals utilising this data is a moot point when it comes to the question of ethics. After all, we don’t necessarily consent to having this type of transaction data recorded, stored and used whenever we make a purchase.

So the big question that this MIT survey has brought up is this: what happens next? According to MIT, it is about finding a better balance between anonymity and data storage.

“Preserving anonymity in large data sets is a pressing concern because public and private entities alike see aggregated digital data as a source of novel insights,” MIT News says. It explains how the researchers looked at making the data less specific to increase the privacy it offered shoppers but still offer “useful” analysis options.

“[This process] makes identifying individuals more difficult, but not at a very encouraging rate,” MIT says.

“Even if the data set characterized each purchase as having taken place sometime in the span of a week at one of 150 stores in the same general areas, four purchases (with 50 percent uncertainty about price) would still be enough to identify more than 70 percent of users.”

So it seems further “coarsening” of this kind of data is just a small step in the right direction. With that in mind, it could be more important to consider the amount of protection provided for storage of this data.

The past few years have already seen a wide range of hacking incidents (predimonantly in the US), where credit card data has practically been handed to criminals once they get through the electronic barriers in place for point-of-sales terminals and corporate computers. This data offers another gateway for criminals, so it is likely corporations, banks and credit card companies will all want to find ways to make sure it stays safe.

Protecting your privacy

Concern over anonymous data is actually secondary when compared with the amount of data most of us freely give away.

If you are signed up to a rewards program, for example, you are probably sharing information every time you enter your member number, or scan or swipe your rewards card. The company that runs the program can then use this data to design its promotions, as well as share it with “rewards partners”.

Similarly, if you have an account with Google, Yahoo, Outlook, Facebook, Twitter, YouTube or any other number of sites online, you have agreed to share some of your data with these companies and their affiliates. As mentioned before, that’s how targeted advertising is created.

The point is that we already give so much of our “data” away. With the “anonymised” data of transactions, however, there is no box to tick to agree to it – it simply happens. But that doesn’t mean you have to switch back to old-fashioned cash to stay safe.

Instead, it could just be a matter of staying mindful of how you pay for things and where you use your credit card (or other electronic payment tools). At the very least, that will help you keep track of any specific threats if, say, the company has to deal with a hack. If you have a more vested interest in your privacy, though, you could start researching the privacy policies of the companies you regularly pay to see exactly what data they store and how it is used and protected by them.

At this stage, anonymised data doesn’t really pose a major threat to us. But the MIT study has brought to light that privacy as we know it is often just an illusion – and that it should never be taken for granted.

Photo source: Shutterstock