Whether you're making a phone call, sending a text, or just buying a cup of coffee with your credit card, you're creating a constant stream of electronic data. It turns out this data could be used to track you—even if it doesn't have your name on it.

According to Yves-Alexandre de Montjoye, an MIT computer scientist, even totally private metadata—that is, data completely stripped of all person information like names and phone numbers—may not be as anonymous as we'd like to believe. In a new study, he and his colleagues took an anonymized credit card record of 1.1 million people. The researchers found that more than 90 percent of the time, comparing just 4 simple pieces of outside information (for example, if someone shopped at a specific store on a given day) was enough to identify someone. This means that the researchers could connect real people's identities (for example, William Herkewitz) to their anonymous avatar in the "private" data set (say, shopper#2232_8) for every single interaction that was recorded. Having even more specific information, like the exact price someone paid at restaurant, made re-identification 22 percent more likely.

"The takeaway is that we really need to rethink what it means when something is 'anonymized'. With regard to this data, anonymous is not a binary term; it's not black and white. And when we run the risk of reconnecting personal information, we should take that into account when we release and share data," de Montjoye says.

Redefining "Anonymous"

The new research could spur governments to update what is known in privacy law as PII— legalese for personally indefinable information. This is important, because how PII is defined by government bodies underlies how, if, and when your potentially private information is shared or released. For example, your credit card company would have to evaluate exactly how much of a risk there is of you getting re-identified before they could release anonymous metadata that you're included in, even if its been scrubbed of your private info.

For years, privacy policy experts like Paul Schwartz at the University of California, Berkeley, have argued that government policy and law should reflect a more nuanced view identifiable information—which he calls PII 2.0. The new definition, Schwartz stated in a Bureau of National Affairs bulletin back in 2012, should consist of "…two categories of PII, 'identified' and 'identifiable' data," alongside non-identifiable data, and "treat them differently." This would allow lawmakers to differentiate between shades of data that are technically anonymous, but, as the new study shows, run the risk of re-identification.

Data For Good

While de Montjoye agrees that PII 2.0 is the logical next step, he also emphasizes that we should pursue methods to make use of anonymized data—such as the credit card data he used in his study—without giving ourselves the ability to manipulate it and sacrifice privacy. He points to the openPDS project, which he is part of, that lets scientists and researchers "ask questions and get answers from such data, without giving them complete control over it," he says.

Much of this information is stored, and, government surveillance aside, "there are actually a lot of genuinely good uses for that data, if we are conscientious about people's privacy," de Montjoye says. "In the sciences, we can use it in fascinating new ways to answer really old sociological questions, as well as questions about the economy and consumption."

This content is created and maintained by a third party, and imported onto this page to help users provide their email addresses. You may be able to find more information about this and similar content at piano.io