Thursday, August 23, 2012

Personal Information. How much is too much?

I read the blog post by Patrick Townsend recently about how Personally Identifiable Information (PII) is protected by law and it got me thinking...  First, PII is information that, alone or with other information, can be used to uniquely identify, contact, or locate a single person. (See also the definition on Wikipedia).  However, in the US, what's considered personally identifiable varies by state.  Some don't give any guidance, some just copy laws from other states verbatim.  Some really try to think about it.  The EU seems to be much more strict than the US, and Germany most strict of all I've studied.

Obviously, a first name + last name + US Social Security Number (SSN) would uniquely identify me.  But so would  my email address.  And my name + date of birth + place of birth is probably close to unique.  My fingerprints or other biometric data clearly would be PII.

But what about protecting or limiting it?  Massachusetts courts have crafted rules to say PII must be protected in documents that will be made public during a legal case.  They give some ideas of what's acceptable and how to fix it:
...In the case of a social security number, taxpayer identification number, credit card or other financial account number, driver’s license number, state-issued identification card number, or passport number, only display the last four digits... 
Do these rules really help?  Probably.  But I don't mind some people or places having my PII.  It can make for a better experience (pre-filled forms on web sites, for example) or that by knowing my location and age they can potentially provide better content for me.  For example, if I'm currently in Tokyo but live in NYC, then based on my age, a website could give me tourist information about either Tokyo Disneyland or Tokyo night clubs. It could do it based on my age obviously, or where I'd traveled before (scary!).  If based on my credit card data or FourSquare checkins, I'd been to Disney World Florida, I might be a good candidate for Tokyo Disneyland.  If I spend hundreds in NYC bars, then maybe something more apt to my tastes.

Also, I know that certain government agencies need PII to do their job (taxes, passports, etc), but the real trick is how to limit PII sharing to a "need to know" basis.   And of course, the devil is in the definition of "need".   Citibank wants to know my total net worth determine if I'm a wealthy investor or a lowly serf (the latter, I assure you).

But it's the aggregation of PII that scares me.  The web site aggregates twitter location data, plus Google Street View to make it easily available to see where someone lives, what's nearby and display local;y-relevant ads.  See NakedSecurity's blog for more.  More scary is Take This Lollipop which is meant to scare you about what you're sharing on Facebook.  It's worth a good viewing.  Just lock the front door first.

Chef Julia Childs would have turned 100 last week.  Did you know she was a spy in WWII?  Her records as from the US OSS (precursor to the CIA) are out in the public domain after being declassified.  This includes mundane stuff like her commendations and pay from 1944, but it also included her SSN and a copy of her physical exam.  She was 6'1" and weighed 155lbs. Her blood pressure?  Vision? Hearing?  Heart Rate? They're in there.  (note it's a 280mb PDF).  Clearly that's going too far in sharing PII. Even for someone who's been dead since 2004.  There has to be information, and I'm generally of the opinion that open is better (especially for governments) but, releasing medical records is too extreme for me.

I guess it's like pornography, I'll know there's too much PII when I see it, but defining how much sharing of PII is too much is complex.  There's certainly no easy solution.

Please comment if you have other good examples of how PII has been used for good or evil.

No comments:

Post a Comment