Assessing data intrusion threats.

Abstract

Y.-A. de Montejoye et al. 's Report “Unique in the shopping mall: On the reidentifiability of credit card data” (special section on The End of Privacy, 30 January, p. [536][1]) led to a widespread media sensation proclaiming that reidentification is easy with only a few pieces of credit card data ([ 1 ][2]–[ 3 ][3]). Although we agree with de Montejoye et al. that data disclosure practices must be responsibly balanced with data privacy and utility, we are concerned that the study's findings reflect unrealistic data intrusion threats. Making policy decisions based on the conclusions from this work would thus be hasty and could lead to the abandonment of modern data protection standards, with negative consequences to privacy, research, and society. Some media confusion stems from the paper's use of the term “reidentify”; credit card metadata were not actually linked to any personal identities. Instead, it was assumed that an intruder could obtain data about identity, geography, time, and price to reidentify all targeted consumers. Yet this scenario requires some very strong assumptions about the attacker that are unlikely to be realized in practice. First, the study did not demonstrate the extent to which the necessary identifying information could be obtained reliably for any consumer. Second, the study neglects to acknowledge that when the data come from a fraction of the general population, unique purchase data in the sample will often not be unique in the larger population. Given that the undisclosed country's population was likely much larger than 1.1 million, the paper's data uniqueness measure is likely a substantial overestimate of risk. Third, the study's risk estimates are further inflated because they did not include cash or other banks' credit card purchases. The research communicated in this paper is critical to moving forward privacy discussions about data sharing. However, we stress that claims about reidentification must be based on models that realistically and correctly account for the probability, as well as the possibility, of attacks. 1. [↵][4] N. Singer, “With a few bits of data, researchers identify ‘anonymous’ people,” New York Times (29 January 2015); . 2. R. Jacobson, “Your ‘anonymous’ credit card data is not so anonymous, study finds,” PBS NewsHour (29 January 2015); [www.pbs.org/newshour/rundown/anonymous-credit-card-data-anonymous-study-finds/][5]. 3. [↵][6] D. Coldewey, “‘Anonymous’ credit card data can still give you away,” NBC News (29 January 2015); [www.nbcnews.com/tech/tech-news/anonymous-credit-card-data-can-still-give-you-away-n296446][7]. [1]: /lookup/doi/10.1126/science.1256297 [2]: #ref-1 [3]: #ref-3 [4]: #xref-ref-1-1 View reference 1 in text [5]: http://www.pbs.org/newshour/rundown/anonymous-credit-card-data-anonymous-study-finds/ [6]: #xref-ref-3-1 View reference 3 in text [7]: http://www.nbcnews.com/tech/tech-news/anonymous-credit-card-data-can-still-give-you-away-n296446