Personally identifiable information (PII) refers to data that can directly or indirectly identify individuals.
The following PII directly identify an individual:
|Social Security number||123-45-6789|
A name or a thumbprint are obvious examples of PII. It's not always that straightforward, however.
Consider a phone number:
Using just the phone number, could you directly identify a person? Probably not. Yet, if you also had a phone book for the 408 area code, you probably could.
In other words, the phone number when linked with the phone book could indirectly identify someone.
This example highlights another form of PII: linkable PII, which refers to data that can be combined from separate sources to identify individuals.
Common examples include:
|Location||116 Broadway, NYC, NY, 10027|
|Medical data||Date of visit: March 12, 2020, Diagnosis: Flu|
Is X considered PII?
Classifying information as PII is challenging. For example, one view of IP addresses suggests they are not PII since they identify computers instead of individuals. On the other hand, IP addresses could be considered PII since they often identify geographical locations and act as linkable PII. The correct classification is unclear.
Even if data is not considered to be PII in the present, it may be in the future. If a future government law enforces that an individual owns a set of IP addresses, then IP addresses will become PII by definition. The classification of data as PII can change over time.
Linkable PII makes this classification even more difficult. For example, you can use the timestamps from someone's social media posts to infer the timezone they live in. If that person also posts a photo of a restaurant they ate at, you can use the timezone to figure out where the restaurant could be located. At this point, you could form an approximate idea of where a person lives or who they are! All from linking timestamps with a restaurant photo.
🤔 In this fictional example, do you think the linkable PII was the restaurant photo or the timestamps? What are other examples of data that could be classified as direct PII or linkable PII?
Attackers can steal PII from companies, often known as a data breach.
In 2017, the consumer credit agency Equifax was the victim of a data breach, and attackers had access to the PII of 143 million Americans. The PII included Social Security numbers and credit card numbers.
Once attackers had access to that data, they could use the Social Security numbers to impersonate people or use the credit card numbers to make unauthorized purchases.
How would you know if you were a victim of a data breach? The breached organization will hopefully notify you, but services like HaveIBeenPwned can also provide an answer.
Here's an example from HaveIBeenPwned for a generic email address:
Because PII falling into the wrong hands can hurt the lives of its owners, laws regulate how institutions store and process PII.
For instance, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) regulates medical PII, whereas the Children's Online Privacy Protection Act (COPPA) regulates the PII of children. In Europe, most forms of PII are regulated under a law called General Data Protection Regulation (GDPR). If you ever develop a website or app that deals with PII of users in those jurisdictions, you’ll have to follow these regulations.
As users, it's best to only give out our PII to online services when it's necessary—and it's almost never necessary to give out government identifiers like a Social Security number.
We should also be careful about our posts on social media. Even if our posts are not clearly PII now, there could be things about that data that we don't yet understand that make it linkable PII in the future.
Want to join the conversation?
- So can people link your information just from your name or phone number?(20 votes)
- Yes! There are numerous websites where you can link someone's phone number to their name, or vice versa. Whitepages is a good example of this. However, you can also look up some things, like phone numbers, in phone books or other more traditional collections of personal information to find out who exactly someone is and where they live.(24 votes)
- "When you see an ad on a site that seems personalized to your interests, do you feel happy that it's catering to you or mad that it knows you so well?" -from the article to Discuss
They don't "know you so well", they made a guess. When a company says that it is collecting information to make my experience better, I hear, "We want to know all about you, so we can bombard you with Ads, and make using a search engine worthless. When I first started using search engines you could get EXACTLY what you were looking for. Now? Now, no matter what you search for, you have to wade through ads to find what you want. Algorithms to make search engines better have made them worse, because they seem to be geared toward promoting sales, not information. Amazon is good example of how bad Search Engines have gotten. If you search for Batteries, the results will return every conceivable item that could possibly be related to and/or used with a battery. Using the filters on Amazon to narrow your search is a waste of time, as they still try to push items you aren't searching for on you. So, you spend an hour looking for an item, when it should have taken less than 5mins. This, in my opinion, is not making my experience better.(45 votes)
- You bring up an interesting trade-off between the economic pursuits of the host company and user experience.
To extend the discussion, how do you feel a given company could promote its partner's interests (i.e. display advertisements) without detrimenting the user experience? Do you have any suggestions?
Interesting discussion topic, nice work!(21 votes)
- how can we safeguard our social security or credit card?(15 votes)
- Here are some tips for keeping your information safe.
1) Never enter sensitive information on a public computer.
2) Never enter sensitive information into a website unless you are certain you can trust it.
3) Never enter sensitive information when connected to a public wifi network.
4) Never email sensitive information, even if you receive an email from what looks like a legitimate organization asking for your information.
5) Never insert a flash drive into your computer if it is not yours.
6) Do not download (and especially run) files unless you are confident that they are safe.(60 votes)
- how can a PII from social media be a PII later but not be a PII in a former instance?(12 votes)
- The more personal details you contribute through your history of posting on social media, the more contextual info a person viewing it has about you over time. Just knowing that you live in X city is random info. Your name + city + what school you went to for the 5 year reunion + which sports you like + photos from the same park, same time of day you always post on weekends, all start painting a more specific image of who you are, what you have, and your habits. This becomes an aggregate of information which could be exploited. Sorry it's general and long-winded but I hope it gives you an idea of how random info collected over time can become specific and relevant.(21 votes)
- at a doctor's appointment i put my real info but at other places i don't why?(9 votes)
- A doctor is someone you can trust with your information, since the government has put laws in place that prevent them from exposing your PII. Other places, like suspicious websites, aren't as secure. Some websites will want to steal your information to use it for malicious purposes. However, doctors just need to know some of your information (personal medical history, family medical history, who you are, where you live, etc) so they can help you when you get sick, both by making sure to treat your illness better and identify its cause.(22 votes)
- my head hurts because of all this info! can someone briefly explain?(9 votes)
- In a nutshell, PII is information that can be used to identify you online. It includes things like phone numbers, social security numbers, fingerprints, names, and so on.
There are two types of PII: direct and indirect. Direct PII can immediately let someone know who you are. Indirect PII differs from direct PII because it usually has to be combined with other information in order to identify you.
Many legal gray areas exist when it comes to PII, such as the IP address. It can be used to find your location, even though technically it is not considered PII yet.
Finally, laws in every country regulate how PII is used. For example, the USA has HIPAA and Europe has GDPR. Both of these laws regulate companies' uses of their customers' PII. This is important, as data breaches and irresponsible use of PII can lead to identity theft.
I hope this helped, and please let me know if you have any more questions!(16 votes)
- is there decent PII laws for people.(10 votes)
- I would research the cybersecurity laws for your state, they differ state to state. Even if PII laws do exist, remember that hackers are acting illegally, so tough laws will make them tougher.(11 votes)
- I wonder what pwned means :((7 votes)
- PWNED is most commonly used in sport or online gaming with the meaning "Owned or Truly Beaten" to indicate that a player has suffered or inflicted a humiliating defeat. The term PWNED almost certainly derives from the erroneous typing of OWNED. (The letters P and O are next to each other a standard keyboard.)(6 votes)
- When is it ever acceptable to give a social security number? Is it ok to put a social security number on a job application if it is from a reputable organization?(5 votes)
- You will generally need your social security number when doing things related to finances such as taking out loans or filing taxes. You probably would not need to put your social security number on a job application, however, if you accept a job offer, you will need to provide it for tax forms.(6 votes)
- why am i doing this(7 votes)