In this week's issue of the journal Science, MIT researchers report that just four fairly vague pieces of information -- the dates and locations of four purchases -- are enough to identify 90 percent of the people in a data set recording three months of credit-card transactions by 1.1 million users.
When the researchers also considered coarse-grained information about the prices of purchases, just three data points were enough to identify an even larger percentage of people in the data set. That means that someone with copies of just three of your recent receipts -- or one receipt, one Instagram photo of you having coffee with friends, and one tweet about the phone you just bought -- would have a 94 percent chance of extracting your credit card records from those of a million other people. This is true, the researchers say, even in cases where no one in the data set is identified by name, address, credit card number, or anything else that we typically think of as personal information.