Some years ago, The New York Times used bulk search records mistakenly published online by America Online (AOL) to identify a woman living in Lilburn, GA — just down the road from me — solely from the pattern of her web queries.
That was the first time I can recall “metadata” receiving serious public attention as a threat to our personal privacy. Since then, it’s become a matter of serious concern to many people.
“Metadata” is the information surrounding our electronic activity. Unlike actual content, like our emails or bank account numbers, metadata in isolation is anonymous. It’s like the postmark of origin and destination address on a letter. Even if the names of the sender and received aren’t visible on the envelope, it doesn’t take much to figure out who sent what to whom … and from there, to speculate about why.
Now researchers at the Massachusetts Institute of Technology have developed a method to determine an individual person from just four pieces of secondary information — metadata such as location or timing of credit card purchases, for example.
And it’s accurate 90% of the time. That’s bad news if you care about your privacy. But there’s a way to beat it.
Private Eyes No Longer
Ever since Sir Arthur Conan Doyle started writing Sherlock Holmes mysteries, it’s been fun to follow fictional detectives as they use their skills to infer names and facts from apparently unrelated information. We admire the intelligence and lateral thinking involved to catch the bad guy. It’s a long but captivating process, helpfully concluded just before the end of each story, TV show or movie.
But now an army of private and public agencies is going way beyond the limitations of the individual human brain to deduce all sorts of things about all of us from the digital trail we leave behind.
Now, the MIT study in question didn’t actually identify the individuals associated with those four pieces of metadata. But they did demonstrate that it’s easy to do so when you combine that metadata with other easily-obtainable information, like location information captured by smartphone apps for Facebook, Twitter or Foursquare.
The Wall Street Journal reports, for example, that “Last November … ride-share company Uber disclosed it had combined its customer records of late-night trips in major cities with local crime reports to calculate the likelihood that its weekend riders were visiting prostitutes.”
Ouch. Especially given the fact that Uber is known to be able to identify specific users from their customer records.
Of course, there are deeper implications.
Hiding in Plain Sight
Metadata enables the private sector and government to track your movements and purchases, even if the data has been stripped of identifiers specific to you, like your credit card numbers. But there’s a way to beat that … one that takes advantage of a technology I predict you’ll be using soon.
Earlier this year I wrote a report for Offshore Confidential subscribers in which I described a way to achieve far greater data and personal security than possible when using physical credit and debit cards. It involves smartphone-based payment systems such as Apple Pay.
Although iPhones can be a privacy risk — one that can be mitigated with some smart adjustments — their one great advantage is that the new Apple Pay app uses a technology called “tokenization,” which completely masks your personal identity and banking information. When you transact, that information is converted into an encrypted form that nobody can read — not even Apple, or your bank. The encrypted “token” is unique to each transaction, so it can’t be tracked from place to place and from time to time.
Outwitting the Spies
In a testament to the power of the market, companies like Apple are increasingly being forced to meet the popular demand for fully encrypted, anonymous means of communication and transacting.
It’s a tricky path for some of them, like Google, who also want to make money from the data they collect about us. But for companies like Apple who aren’t in the business of selling customer data to third parties — or giving it to the government — digital anonymity is a major attraction for privacy-minded customers.
I’m always suspicious of things that seem too good to be true. Someday Apple Pay and similar tokenization technologies may be found wanting. But for now, the pragmatist in me is willing to give them a try.
So should you.
Offshore and Asset Protection Editor