Friday 23 October 2015

The crushing inevitability of MiData

Yesterday there were news stories about how the average UK consumer could save up £70 a year by changing bank accounts. Unbeknownst to me, the government had launched an initiative months ago, urging banks to allow customers to download their bank account transaction history in a standard format, namely MiData.

MiData is a comma separated value text file, you can open it in NotePad or Excel.

At the moment pretty much the only two things you can do with MiData is faff about with it in a spreadsheet, or upload it to GoCompare who will somehow process it and tell you which bank to change to.

I think GoCompare just looks how far into your overdraft you go and what the average account balance is, they then look at which bank accounts charge and pay what interest and other goodies and make recommendations. Their best recommendation for me was some Yorkshire bank who charge higher interest, but give you a £150 switching bonus, so less of a saving, more like a one-off free gift.

Anyhoo, there's so much more potential and risks involved with MiData.

Years ago I read online, possibly from Worstall, of an idea for banks (with the user's permission) to mine your data and automatically save you money by changing various service providers. For example say your current energy provider charges £30 a month, but other people in your area with the same household size are only paying £20 with a different provider, then the bank would change you over, saving you £10 a month. Presumably the bank would pocket half your saving for a limited period, but since you're paying less, who cares. No bank has done this, probably because of privacy laws.

With MiData, the ability to minedata is outwith your bank. But at the moment, there are no tools, no services. The main risk is that the MiData is just too personal.

When your bank lets you download the MiData, it is "anonymised" which by the looks of things means they remove any account numbers, and anything that look like an account number, just replacing it with asterisks. This only makes it anonymous in that you don't know personal account details, but that's not enough.

As an aside, I understand that some car insurers fit a black box that records your car's speed and time, so that they can insure you appropriately for how safely you drive. I read that some researchers can use this speed data alone to figure out where you are going each day. It takes a bit of datamunging, but presumably if you know the start point and the junction one way is 30 seconds drive and the junction the other way is 50 seconds drive. Any nefarious criminal can map your life just from speed measurements.

Similarly, from MiData, even without account details, it would be trivial to identify a person from their transactions.

For example, looking at petrol stations and supermarkets you can get a feel of where in the UK a person lives and works, they'd do their weekly shop within one or two miles of their house, their regular petrol fill up will be somewhere between their home and their place of work. Or even better their local train station or work train station will be within less than a mile. Occasionally they will be travel or petrol transactions further away, these would be holidays or visiting family members, traditionally some family members stay in the same place where they grew up. Likewise gift purchases will coincide with birthdays. An investigator can get themselves to Linkedin and Facebook and look for people who live in this area, work in another area and grew up some other specific place, and who's partner / parents have birthdays at whatever time of year.

There aren't many people who live in Chingford and work in Hertford, even fewer who grew up in Manchester.

Anyhoo, the cat is out of the bag. Like in the book The Light of Other Days by Stephen Baxter and Arthur C. Clarke, the post-millenial generation aren't going to give a crap about privacy, compared to the "benefits" of datamining. I imagine that security expert Bruce Schneier would be doing his nut in.

So, having identified a gap in the market, I have an awesome idea for a business that will turn me into the millionaire I've always dreamed of being.

First we create an app or website where people upload their MiData to and the site gives you a neat pie chart showing how you spend your money in categories like supermarket, petrol, Entertainment, etc, and histograms showing how much you spend on each category each month. Just like Quicken used to do before they discontinued the UK version.



Don't worry, your data has already been anonymised by the bank, the government said so.

Then once we have enough people's "anonymised" data, we add some data, like geographic locations for each supermarket, train station and petrol station and cafe, then we offer website users a fancy map showing where they spend. People will think its ace, and Bruce Schneier will start getting worried.

Then we do some more analysis showing how much people in different areas are spending on things, like the aforementioned energy providers, and we can start charging users for recommendations for where to switch to.

Then we can start telling people how many kids we think they have based on their data, and how many bedrooms their house has, recommendations of which car they should buy next, which phone and whether they are engaged in illegal activity, or what things they do that are abnormal.

The problem is that I don't have time to do this, neither have I the skills. Someone else will.



The government will at the same time as encouraging it and providing grants to organisations who can take advantage of the MiData, will also have very legitimate concerns about privacy.

There is a very faint trend on social media for young people, teenagers who have just received their first ever credit card, to post photos of said card and unwittingly give away the security number, so that nefarious people will use their details. Young people can be stupid. Lots of people are stupid and will do stupid things.

The government, and parents too, have a difficult job in weighing up the benefits of things like MiData and credit cards, with the risks. What protective measures will they put in place that are just as much of a ballache as the EU Cookie Directive, that makes you have to click on disclaimers on websites.

Imagine, if you will legislation that protects people's MiData privacy by putting in place some hardcore digital rights management, only allowing special government approved organisations and businesses to view and process, thus no small app developer could play with the data, only GoCompare and the banks and probably government departments, HM Revenue & Customs, and the police, probably hospitals too. Some DRM system that's so encrypted and heavyweight that developers often do raw datadumps, and leave hard disks and DVDs on trains.

This is what happens.