July 6, 2015 in Forum

Let’s be reasonable about data privacy

SHARE: PRINT ARTICLE:print this page https://doi.org/10.1287/LYTX.2015.04.10

The way some people talk about privacy, you would think we need to stop using credit cards or cell phones to have private lives – because everyone and their uncle is trying to find us in data. I certainly don’t want to live in a world where there is no privacy. But we also need to be reasonable, and reasonably well informed, about the risks.

The recent study, published by researchers at the MIT Media Lab, “Unique in the shopping mall: On the reidentifiability of credit card metadata,” makes it seem like the risks are astronomical. Apparently 90 percent of individuals are unique and identifiable based on the results of this study. All you need to know is four credit card transactions with the date, the place and the amount paid. Let’s look at some of the details described in the study and see if they seem reasonable to us.

The credit card data used in this research had 1.1 million people in it, covering 10,000 shops, over a three-month period, for some undisclosed country. Some numbers are provided that would suggest over half of payments use a credit card. So if we want to put a name to someone in this data, we need to know that they used their credit card to make a purchase. Four times. And we need to know where and when. I barely remember what purchases I made last week, let alone anyone else’s, and certainly not going back three months.

What about that 1.1 million people in the data set? If they are part of a larger population of people that made credit card purchases in the country, then they are a sample. A sample doesn’t have everyone in the population, just some of them.

It is simply assumed that unique people in the data set are unique in the population, and we have no way to know if this is true since important details are lacking from the report. There are ways to estimate if the unique people in a data set are unique in the population. But there is no mention of this in the report, and there are no references to journal articles that discuss these estimators.

An example is given in which we want to find “Scott” in the data set. We apparently know he went to the bakery on Sept. 23 and to the restaurant on Sept. 24. Presumably we also know he used his credit card to make these purchases. And we may need to remember this going back three months or find something he posted online that describes these purchases.

Then we find there is only one such profile in the data, and we conclude that it must be Scott. Now we have to assume that being unique in the data set means being unique in the population of all credit card purchases.

We need to know, and assume, a lot for this example to work. Anything’s possible, but that doesn’t make it probable. Finding unique profiles, even after aggregating information about them, does not mean we can put a name to the profile. This level of validation, where names are assigned to the data set and an independent authority verifies the results, is sorely lacking.

The authors are right to raise concerns with the public sharing of data. Statistical agencies publicly report aggregated results because of these same concerns, and they use various approaches to make sure these counts minimize the risk of disclosing identities (in a field known as “statistical disclosure control,” none of which is referenced in the report).

It is fair to say that there are significant risks of being “re-identified” in a public data set. But context matters, and the risks for non-public data sets are very different. Sharing health data with a marketer is not the same as sharing it with a health researcher. One has incentive to put names to profiles in the data, while the other is just happy to have data to work with.

The authors are absolutely correct when they point out that taking away the directly identifying attributes – the names, phone numbers, IDs – “does not make it [data] anonymous nor safe to release to the public and to third parties.” However, what the authors are referring to is data masking, not data de-identification. This is a critically important distinction that, far too often, is not recognized or discussed when referencing re-identification risk.

There is a large body of academic work that makes it clear that simple data masking is not enough to protect data that is being shared for secondary purposes. A responsible, risk-based approach built around the specific use of the data must be applied to produce a truly de-identified  data set with a very small risk of re-identification.

Can we say the risk is zero after de-identification? No, because there is always a small residual risk. However, there are no known examples of truly de-identified data that have been re-identified. The incidents of re-identification referenced in this study (and others that have been cited by the media) are all examples of data that was re-identified because they were only masked.

The bottom line is that data that is not properly de-identified is indeed at great risk of re-identification. And this problem is only going to get worse with the growing demand for access to data for secondary purposes (e.g., research, analytics, public health surveillance, clinical trials, quality improvement, marketing) unless organizations apply a more responsible method of de-identification.

There is no need to live in fear that the end of privacy is upon us. We can make reasonable assumptions, and use reasonable approaches to managing risks, same as we do every day when we cross the road at an intersection or drive a car to work. Privacy can be designed into any and all sharing of data. We just have to be reasonable about it. It would be nice if editors of these research reports made it necessary to address the solutions to protecting privacy, rather than opting for the inflated headlines associated only with the problems.

 

Luk Arbuckle

SHARE:

Keywords:
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.