Life of PII: is the Definition of Personal Identity Information Still Relevant?
When we discuss the notion of data privacy, one of the most important questions we should ask ourselves is; which information is considered private? To help solve this mystery, investigating the concept of Personal Identity Information (PII) seems like an excellent place to start. We'll discuss what PII is all about, how it evolved, and what could make it irrelevant for today’s online privacy landscape.
What is PII?
PII is information that, when used alone or with other data, could lead to a specific person and reveal its identity. The standard definition includes an individual's name, IP address, phone, ID or social security numbers, etc. If we can use this data to figure out the names behind it, it falls under the definition of PII.
This term served development and compliance teams for years, although its definition is not official and has evolved and shifted over time. For example, the U.S. Information Technology Laboratory includes five different definitions in its Computer Security Resource Center glossary, but most revolve around the same notion, which is “Information that can be used to distinguish or trace an individual’s identity.”
Examples of PII
- Telephone number
- IP address
- Media access control (MAC)
- Social security number
- Street address
- Email address
- Voice signature
- Passport number
- Bank account details
- Credit card number
- State identification number
- Driver’s license number
- Taxpayer identification number
- Vehicle registration number
What is non-PII?
Non-personally identifiable information is data that cannot be used on its own to trace or identify an individual.
PII and data privacy
Why do we care if certain information reveals our identity? The significance of PII in the world of data privacy is mainly related to identity theft, although it might be used for other things as well, like cyber extortion. This information can be used for impersonation, access to personal assets, drawing further information, and more. Malicious players can use PII to convince our bank to transfer money, send scam emails that feel authentic because they contain personal information, break into other private areas for ransom purposes, and more.
Hackers target PII specifically, like in this recent Facebook data breach that revealed the PII of more than 500 million users. Companies invest many resources in preventing PII access, and a loophole found in Microsoft Teams has led the company to immediately develop a new feature. Some companies focus on “identity intelligence protecting PII through AI and machine learning-based capabilities that measure identifiable and attributable information.
That’s why it’s no coincidence that PII served as the base for legal definitions in recent data privacy regulations. CCPA, for example, states that information considered private is “capable of being associated with, or could be reasonably linked, directly or indirectly, with a consumer or a household.” We can see that the concept of PII continues to be used by data teams today, but is that because it’s still relevant or just out of habit?
PII has evolved
If some information is considered private, that means other data is not. But in today’s digital world, we scatter many tiny puzzle pieces that may not be considered PII by definition but are, in fact, unique and personal enough to cause severe damage, with a recent example of this being the outing of a priest in the US. Hackers can put together enough non-PII data to access more substantial information. As our digital entities evolve, the information we make public or share with companies becomes more significant and more dangerous, allowing malicious players to do so more easily. The recent data scraping incidents on Facebook, LinkedIn, and even Clubhouse are alarming examples. Hackers gather seemingly harmless, publicly available information and use dedicated tools to put enough data pieces together to enable identity fraud or expose our identities.
The truth is, no data can be considered 100% safe. When our faces unlocked our phones, our pictures became personal assets. So does our voice and any general information we put out there.
The future of PII
In a world where everything is personal, we must shift our focus from what we share to who we share it with. Instead of asking whether or not this data is private (spoiler: it is), we have to ask: Does this business offer sufficient security measures? Do we even need this service in the first place? The more data you share, the bigger the risk. Online services and products that require any information at all but fail to provide substantial value will be examined and possibly deleted from our data-sharing index. When technologies like Mine offer a quick overview of our data sharing landscape, it’s easy to turn conclusions into action.
By actively managing the data ourselves, we can decide what’s personal to us and what should be shared with whom.