Techlicious editors independently review products. To help support our mission, we may earn affiliate commissions from links contained on this page.

You’ve likely heard a lot of people talking about metadata these days. The term means, basically, “data about data.” If your name and credit card number are data, for example, then the times and locations where you last swiped that card are metadata. There are a number of privacy protections on your data, especially when it comes to courts of law. But when it comes to metadata, virtually anything goes. It’s not personally identifiable, the logic goes, so it doesn’t impact your right to privacy if it gets shared.

But is that really the case? Researchers at the Massachusetts Institute of Technology (MIT) studied the privacy implications of metadata by combing through three months worth of credit card metadata from 1.1 million people, provided by a major bank for research purposes. The scientists were given three bits of info per purchase: The amount of money spent in each transaction, the type of store visited (e.g., restaurant, supermarket) and a code number representing each person. The researchers built a computer simulation to see if this data could be used to learn the actual identities of the people behind it. The result: When compared against just four pieces of outside location data per person – for example, a geotagged tweet showing a person’s location, GPS data pulled from your phone or a Facebook check-in – researchers were able to personally identify 90% of the credit card holders.

How? The secret, researchers, say, is that our daily spending habits aren’t exactly random. Each person has our own unique spending fingerprint – much like we all have our own unique phone use fingerprint or websurfing fingerprint. With a few pieces of outside data and a few computers powerful enough to look for patterns, just about any piece of metadata can be de-anonymized. Even when far less specific metadata was presented (e.g., what week people shopped, rather than the exact day and time), the folks at MIT were still able to ID purchasers with a 70 percent accuracy.

“We are showing that the privacy we are told we have isn’t real,” MIT researcher Alex Pentland told the Associated Press.

You can read more about the MIT metadata study in the January 30 edition of the journal Science.

[Credit card transaction via Shutterstock]