By Simone Polisano on Thursday, 06 June 2019
Category: All

PII Part 1: The Black the White and the Gray

In recent years, as we have become more and more dependent on the use of technology in our daily lives, managing who has access to our information has become a somewhat burdensome task. Because of this, many governmental entities have been creating laws to help keep consumers private information safe, forcing companies that deal with customer data to take a more concerned posture in the business to consumer relationship, thereby allowing the consumer to have a more meaningful position in the conversation about who should and should not have access to their information.

While Personally Identifiable Information (PII) may seem like a very straightforward and simple concept, there are some caveats that a person might need to understand before having a solid grasp of it.

The NIST (the National Institute of Standards and Technology) is one of the most respected entities when it comes for establishing technological standards. Their definition of PII is very simple and reasonable:

“Any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or bio-metric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information”.

The Black and White Areas

Certain kinds of information are inherently unique and will constitute PII as a singular piece of information, such as a Social Security Number (SSN) or bio-metric details (fingerprints, retina patterns, voice waves, etc). These Items were created to identify a unique individual and are often used as a record locator for governmental agencies. Knowing an SSN, for example, could lead someone to a person’s name and address and provide information that could even aid the theft of a person's identity. 

Gray Areas

A person's name is often used in public domains and most names are not overly unique that they can distinguish a single person. In fact, my name, even though it is not common is only unique if it includes my first, last and middle name. This is precisely why some kinds of information can be PII when linked with other information, such as a person’s name with their address, or a person’s email address with their name. While a name with an email address may seem like a very low risk pairing, there are videos on YouTube that demonstrate people calling email providers and with the aid of social engineering are able to convince the email provider to re-set a password. This kind of attack on a person’s identity would be facilitated just by knowing some simple things like the name of the email account holder and some minor personal details that might be accessible on social media. 

A person’s name can be PII if it’s totally unique, and there are certainly some out there. A person’s photograph is considered to be PII because it is a bio-metric, even though it is socially common for people to put their picture on display with their name as part of their user profile. Websites such as LinkedIn and Facebook routinely display a person’s first and last name, with a picture of them, and the city or metropolitan area they reside. This practice was quite common before we started having open discussions about the public display of PII and how dangerous it is. Under today’s constraints those sites are surviving under a grandfathered premise that it was OK yesterday, so we will continue to operate the same way. But you may very well see this eliminated even in those environments as people become more concerned about their personal information.

To be respectful of this, you must consider the use of PII as if your information is being stored there. If I was designing an application where I collected information that could possibly be PII: the first rule I adhere to is to never collect anything that is not needed. If there is a need for it, consider dumping selective portions of the data to make it less useful for identity theft. If you must retain information, do it in such a way that it makes it difficult to pinpoint a person with the information you have.  Write the information in such a way that require provided information to locate the record.

In the second part of this Blog post I will cover Using PII Carefully and Data Design Precautions