One of the ways credit card companies help protect you is by anonymizing your data from transactions, stripping it of your name, account number, email address, and so on. The anonymized data is called “metadata.” This way, even if data thieves access the transaction data, they don’t have all your information. However, new research from MIT published in “Science” indicates that the practice isn’t perfect.

Researchers looked at three months of anonymized credit card transactions from over one million cardholders. By analyzing transaction times and shopping patterns, they found they only needed information from three to four purchases in order to identify individual cardholders. Their method produced 90 percent accuracy.

Granted, MIT is full of some pretty smart people, but if they’ve figured this process out, it’s safe to assume data thieves might as well. Metadata is publicly available because it offers “transformational potential” for researchers, according to Yves-Alexandre de Montjoye, lead author of the study.

And, until now, no one ever took much notice of that availability, as the data was supposedly anonymous. But “the privacy we are told that we have isn’t real,” said study co-author Alex “Sandy” Pentland. The study suggests that the enormous volume of metadata relative to the number of criminals looking is one of the few factors keeping your information safe, but also that risks are just a matter of time.

How Social Media Can Make the Process Easier
Data thieves can identify your purchasing patterns whether you’re shopping online or offline. However, certain social media behaviors can make their work easier and, while you can’t do much to protect your metadata, you can make the problem worse. The researchers say that posting a pic of your new purchase on Instagram or talking about it on Twitter or Facebook can provide additional data points to help thieves tie your metadata to you personally. Information on where and when you shop, or what you bought, reduces the number of transactions necessary to pinpoint your identity.

No Need to Revert to Checks Just Yet
Again, given the volume of data, the chances that a Tweet will allow thieves to connect your metadata and identity is fairly low, but it’s still a possibility. It’s also not the first time that sharing too much on social media has made users potential crime victims. Remember the saying about social media: don’t post anything you wouldn’t want to see on the front page of your local newspaper.

Be Smart, Not Afraid
If you think mention of a particular purchase or store visit might put you at risk, then don’t mention it, or at least leave out some of the details researchers say matter. For example, posting every detail of your dinner opens up some small risks, but a Pinterest picture is pretty safe—it’s going to be tough to match that image alone to the any metadata. And do take comfort in the fact that while there may be some smart thieves out there, not too many of them went to MIT.

Photo Credit: Sean MacEntee/Flikr