Credit card users may be dismayed by findings MIT Researchers reported last week in the journal Science: Just a few pieces of vague non-identifying information, namely the dates and locations of four purchases, were enough to identify 90 percent of people in a data set of 1.1 million credit card users over a three-month transaction period.
When the researchers went to work with three pieces of less vague information, such as three receipts, or, say, one receipt plus an Instagram photo of the customer and a tweet the customer sent, there was a 94 percent chance of being able to extract the subject’s credit card records from a million other people — even though the data set seemingly was scrubbed clean of identifying information such as names, addresses and credit card numbers.
The study highlights what is a privacy concern for individuals, Chris Czub, security research engineer at Duo Security, told CRM Buyer.
“This data is supposed to be anonymized and stripped of identifying information — this is data that credit card companies sell to marketing research firms with the goal of allowing them insight into customer trends and patterns. If someone in possession of ‘anonymized’ credit card transaction data can identify users, that promise of anonymity is broken.”
Giving third parties access to the raw data presents too many risks to privacy. That is an unavoidable conclusion from the study, Czub continued. Indeed, the MIT researchers appear to be thinking along the same lines. They suggest that this data should be safeguarded from unauthorized access, and only abstract views of the data should be given rather than a raw feed.
“Unfortunately, extant payment card industry data protection standards, such as PCI-DSS, do nothing to address this problem,” Czub continued.
There are other weaknesses as well, such as the lack of a federal law requiring organizations to follow the standards, to say nothing of the fact that the standards are created within the payment card industry.
Such a setup “presents possible conflicts of interest between their commercial desires and the privacy and security desires of consumers,” Czub said. “What’s needed is stronger regulation of information security in general, with substantive penalties for failure to adhere to regulations.”
No Privacy Anymore
This issue will only worsen as technologies such as the Internet of Things gain momentum, warned Kevin Duggan, CEO of Camouflage.
“For instance, the mere presence or absence of ‘transaction’ data could provide clues that identify individuals,” he told CRM Buyer.
There are some tactics that can better safeguard privacy, Duggan said, such as data masking thorough data anonymization — and not just for credit card numbers.
“This technology allows testers and developers to still use the data, but ensures that metadata leaks will never lead to surmising the identity of an individual,” he maintained.
Essentially, businesses need to lock down all data, regardless of how innocuous it might seem at first glance, advised Duggan.
Consumers eventually will demand better data privacy protection, said David Giannetto, author of Big Social Mobile: How Digital Initiatives Can Reshape the Enterprise and Create Business Value.
“As this becomes a bigger problem, smarter companies will enter the market that use consumer data privacy as a main part of their value proposition,” he told CRM Buyer.
“This will quickly draw consumers to them and force the rest of the market to react with tighter controls. The market will fix itself, but it will probably take several years before this happens,” he explained.
“What you will see in the long run,” Abine Chairman Eugene Kuznetsov told CRM Buyer, “is consumers picking products and services based on the amount of privacy they offer.”