How You Shop Can Reveal Your Identity to Thieves

Women are more easily identified from their shopping patterns than men

Leigh Righton/Corbis

You might think you are security conscious, but your body and your habits betray you. Not only can the data-savvy deduce your identity from the unique wobbles in video from a body-mounted cameras, but apparently all they really need are where and when you use your credit card. No need for the other bits of personal information — your name, address or account numbers — they know who you are already.

Or at least, MIT researchers know who you are. Rather, they’ve proved that they can find out in a new study published in Science. They looked at three months of data from 1.1 million credit card users in an unidentified country. For Scientific American, Larry Greenemeier reports:

Using both the credit card and transaction information the researchers identified 90 percent of the individuals in the data set. When they added the exact prices of transactions to the mix, they increased their ability to re-identify anonymous records by 22 percent. The researchers found that they could identify people even if they knew only their general location or a time frame during which the people shopped.

The easiest groups of people to ID were women and people who earned more. 

A survey from a Boston-based consulting group shows that people are well aware of the sensitivity of credit card data. A very large proportion of Americans — 87 percent — think that such data is moderately or extremely private. Only 68 percent are as concerned about their health and genetic data. So why are we letting so many people get their hands on credit card data? In Science, the researchers point out that "financial data sets have been used extensively for credit scoring, fraud detection, and understanding the predictability of shopping patterns." The article is part of a package the research journal calls "The end of privacy."

The big message from the new study, Greenemeier writes, is that even when data is "de-identified" it isn’t necessarily secure. That puts a lot of our anonymization laws — such as those required by the Health Insurance Portability and Accountability Act (HIPAA) — on shaky ground.

Get the latest stories in your inbox every weekday.