Privacy challenges

Yves-Alexandre de Montjoye

Analysis: It’s surprisingly easy to identify individuals from credit-card metadata.

Press Contact

Abby Abazorius
Phone: 617-253-2709
MIT News Office

Media Resources

2 images for download

Access Media

Media can only be downloaded from the desktop version of this website.

In this week’s issue of the journal Science, MIT researchers report that just four fairly vague pieces of information — the dates and locations of four purchases — are enough to identify 90 percent of the people in a data set recording three months of credit-card transactions by 1.1 million users.

When the researchers also considered coarse-grained information about the prices of purchases, just three data points were enough to identify an even larger percentage of people in the data set. That means that someone with copies of just three of your recent receipts — or one receipt, one Instagram photo of you having coffee with friends, and one tweet about the phone you just bought — would have a 94 percent chance of extracting your credit card records from those of a million other people. This is true, the researchers say, even in cases where no one in the data set is identified by name, address, credit card number, or anything else that we typically think of as personal information.

The paper comes roughly two years after an earlier analysis of mobile-phone records that yielded very similar results.

“If we show it with a couple of data sets, then it’s more likely to be true in general,” says Yves-Alexandre de Montjoye, an MIT graduate student in media arts and sciences who is first author on both papers. “Honestly, I could imagine reasons why credit-card metadata would differ or would be equivalent to mobility data.”

De Montjoye is joined on the new paper by his advisor, Alex “Sandy” Pentland, the Toshiba Professor of Media Arts and Science; Vivek Singh, a former postdoc in Pentland’s group who is now an assistant professor at Rutgers University; and Laura Radaelli, a postdoc at Tel Aviv University.

The data set the researchers analyzed included the names and locations of the shops at which purchases took place, the days on which they took place, and the purchase amounts. Purchases made with the same credit card were all tagged with the same random identification number.

For each identification number — each customer in the data set — the researchers selected purchases at random, then determined how many other customers’ purchase histories contained the same data points. In separate analyses, the researchers varied the number of data points per customer from two to five. Without price information, two data points were still sufficient to identify more than 40 percent of the people in the data set. At the other extreme, five points with price information was enough to identify almost everyone.

The researchers characterized price very coarsely, treating all prices that fell within a few fixed ranges as functionally equivalent. So, for instance, a purchase of $20 at some store on some day in one person’s history would count as a match with a purchase of $40 by someone else at the same store on the same day, since both purchases fell within the range $16 to $49. This was an attempt to represent the uncertainty of someone estimating purchase amounts from secondary information, such as an Instagram photo of the food on someone’s plate. The limits of each range were based on a fixed percentage of its median value: The range $16 to $49, for instance, is the median value of purchases ($32.50) plus or minus 50 percent, rounded to the nearest dollar.

Preserving anonymity in large data sets is a pressing concern because public and private entities alike see aggregated digital data as a source of novel insights. Retailers studying anonymized credit-card histories could certainly learn something about the tastes of their customers, but economists might also learn something about the relationship of, say, inflation or consumer spending to other economic factors.

So the MIT researchers also examined the effects of coarsening the data — intentionally making it less precise, in the hope of preserving privacy while still enabling useful analysis. That makes identifying individuals more difficult, but not at a very encouraging rate. Even if the data set characterized each purchase as having taken place sometime in the span of a week at one of 150 stores in the same general areas, four purchases (with 50 percent uncertainty about price) would still be enough to identify more than 70 percent of users.

Nonetheless, de Montjoye and Pentland remain adamant that socially beneficial uses of big data should be pursued. “Sandy and I do really believe that this data has great potential and should be used,” de Montjoye says. “We, however, need to be aware and account for the risks of re-identification.”

In separate work, de Montjoye, Pentland, and other members of Pentland’s group have begun developing a system that would enable people to store the data generated by their mobile devices on secure servers of their own choosing. Researchers looking for useful patterns in aggregate data would send queries through the system, which would return only the pertinent data — such as, for instance, the average amount spent on gasoline during different time periods.

Topics: Media Lab, School of Architecture + Planning, Research, Data, Big data, Privacy


Everyone knows that...

This remind me problems with the privacy of people. If these studies only take data from credit cards or cell phones and allow to identify individuals, what about other kind of data from public traffic cameras, NFC cards, ID cards, photos, highway traffic control and so on? Should these studies be strong evidence about mass control, capacity for private data violation and government control politics over people? A discussion that longs forever...

Doesn't sound easy to have access to 1 million user's 3 transactions each, without already knowing who they are. As I get from this explanation you have to have information about all users, not just the ones you want to identify.

What records are they searching? Who has access to the records they are searching?

I think what they are saying is with three or four credit card purchases the receipts themselves with out the credit card number on them could reveal the user when compared to a database of 1 million users even if the data was course. Course data means data lies in a range like 1PM to 3PM not 2:39PM or $1 to $5 instead of say $2.50. Time is more likely to be course because the Credit Card company might keep records down to the last second while the receipt was printed only to the minute.

They are searching through a databank of credit card transactions. So, the next time I find a misplaced billfold with three receipts, I can hire a hacker that has the credit card transactions of 1.1 million people to identify the owner. Big deal.

Back to the top