AP®︎/College Computer Science Principles
Course: AP®︎/College Computer Science Principles > Unit 7Lesson 2: PII (Personally identifiable information)
PII (Personally identifiable information)
Personally identifiable information (PII) refers to data that can directly or indirectly identify individuals.
The following PII directly identify an individual:
|Social Security number||123-45-6789|
A name or a thumbprint are obvious examples of PII. It's not always that straightforward, however.
Consider a phone number:
Using just the phone number, could you directly identify a person? Probably not. Yet, if you also had a phone book for the 408 area code, you probably could.
In other words, the phone number when linked with the phone book could indirectly identify someone.
This example highlights another form of PII: linkable PII, which refers to data that can be combined from separate sources to identify individuals.
Common examples include:
|Location||116 Broadway, NYC, NY, 10027|
|Medical data||Date of visit: March 12, 2020, Diagnosis: Flu|
Is X considered PII?
Classifying information as PII is challenging. For example, one view of IP addresses suggests they are not PII since they identify computers instead of individuals. On the other hand, IP addresses could be considered PII since they often identify geographical locations and act as linkable PII. The correct classification is unclear.
Even if data is not considered to be PII in the present, it may be in the future. If a future government law enforces that an individual owns a set of IP addresses, then IP addresses will become PII by definition. The classification of data as PII can change over time.
Linkable PII makes this classification even more difficult. For example, you can use the timestamps from someone's social media posts to infer the timezone they live in. If that person also posts a photo of a restaurant they ate at, you can use the timezone to figure out where the restaurant could be located. At this point, you could form an approximate idea of where a person lives or who they are! All from linking timestamps with a restaurant photo.
🤔 In this fictional example, do you think the linkable PII was the restaurant photo or the timestamps? What are other examples of data that could be classified as direct PII or linkable PII?
Attackers can steal PII from companies, often known as a data breach.
In 2017, the consumer credit agency Equifax was the victim of a data breach, and attackers had access to the PII of 143 million Americans. The PII included Social Security numbers and credit card numbers.
Once attackers had access to that data, they could use the Social Security numbers to impersonate people or use the credit card numbers to make unauthorized purchases.
How would you know if you were a victim of a data breach? The breached organization will hopefully notify you, but services like HaveIBeenPwned can also provide an answer.
Here's an example from HaveIBeenPwned for a generic email address:
Screenshot from HaveIBeenPwned.com. Includes text "Check if you have an account that has been compromised in a data breach", then a text field with the email address "email@example.com", a button that says "pwned?". Results underneath say "Oh no - pwned! Pwned on 26 breached sites and found 1 paste (subscribe to search sensitive breaches)"
Because PII falling into the wrong hands can hurt the lives of its owners, laws regulate how institutions store and process PII.
For instance, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) regulates medical PII, whereas the Children's Online Privacy Protection Act (COPPA) regulates the PII of children. In Europe, most forms of PII are regulated under a law called General Data Protection Regulation (GDPR). If you ever develop a website or app that deals with PII of users in those jurisdictions, you’ll have to follow these regulations.
As users, it's best to only give out our PII to online services when it's necessary—and it's almost never necessary to give out government identifiers like a Social Security number.
We should also be careful about our posts on social media. Even if our posts are not clearly PII now, there could be things about that data that we don't yet understand that make it linkable PII in the future.
🙋🏽🙋🏻♀️🙋🏿♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!
Want to join the conversation?
- how can we safeguard our social security or credit card?(14 votes)
- Here are some tips for keeping your information safe.
1) Never enter sensitive information on a public computer.
2) Never enter sensitive information into a website unless you are certain you can trust it.
3) Never enter sensitive information when connected to a public wifi network.
4) Never email sensitive information, even if you receive an email from what looks like a legitimate organization asking for your information.
5) Never insert a flash drive into your computer if it is not yours.
6) Do not download (and especially run) files unless you are confident that they are safe.(51 votes)
- "When you see an ad on a site that seems personalized to your interests, do you feel happy that it's catering to you or mad that it knows you so well?" -from the article to Discuss
They don't "know you so well", they made a guess. When a company says that it is collecting information to make my experience better, I hear, "We want to know all about you, so we can bombard you with Ads, and make using a search engine worthless. When I first started using search engines you could get EXACTLY what you were looking for. Now? Now, no matter what you search for, you have to wade through ads to find what you want. Algorithms to make search engines better have made them worse, because they seem to be geared toward promoting sales, not information. Amazon is good example of how bad Search Engines have gotten. If you search for Batteries, the results will return every conceivable item that could possibly be related to and/or used with a battery. Using the filters on Amazon to narrow your search is a waste of time, as they still try to push items you aren't searching for on you. So, you spend an hour looking for an item, when it should have taken less than 5mins. This, in my opinion, is not making my experience better.(30 votes)
- You bring up an interesting trade-off between the economic pursuits of the host company and user experience.
To extend the discussion, how do you feel a given company could promote its partner's interests (i.e. display advertisements) without detrimenting the user experience? Do you have any suggestions?
Interesting discussion topic, nice work!(15 votes)
- at a doctor's appointment i put my real info but at other places i don't why?(10 votes)
- A doctor is someone you can trust with your information, since the government has put laws in place that prevent them from exposing your PII. Other places, like suspicious websites, aren't as secure. Some websites will want to steal your information to use it for malicious purposes. However, doctors just need to know some of your information (personal medical history, family medical history, who you are, where you live, etc) so they can help you when you get sick, both by making sure to treat your illness better and identify its cause.(20 votes)
- how can a PII from social media be a PII later but not be a PII in a former instance?(11 votes)
- The more personal details you contribute through your history of posting on social media, the more contextual info a person viewing it has about you over time. Just knowing that you live in X city is random info. Your name + city + what school you went to for the 5 year reunion + which sports you like + photos from the same park, same time of day you always post on weekends, all start painting a more specific image of who you are, what you have, and your habits. This becomes an aggregate of information which could be exploited. Sorry it's general and long-winded but I hope it gives you an idea of how random info collected over time can become specific and relevant.(18 votes)
- So can people link your information just from your name or phone number?(10 votes)
- Yes! There are numerous websites where you can link someone's phone number to their name, or vice versa. Whitepages is a good example of this. However, you can also look up some things, like phone numbers, in phone books or other more traditional collections of personal information to find out who exactly someone is and where they live.(14 votes)
- is there decent PII laws for people.(10 votes)
- I would research the cybersecurity laws for your state, they differ state to state. Even if PII laws do exist, remember that hackers are acting illegally, so tough laws will make them tougher.(10 votes)
- what is one way we can protect ourselves from our information(10 votes)
- I'm not sure why you would need to protect yourself from your information. If you are asking about protecting your information though, please read the top-rated question under the article.(9 votes)
- what is one way I can be safe online?(8 votes)
- Please refer to the top-rated question under the article.(7 votes)
- how do we stay safe and not any hacker steals ur information?(7 votes)
- Make sure that you are aware of the information you spread online, that the information is going to a unarguably trustworthy place. For the "hacker" issue, if you use information when needed and make sure it is removed from the device after, there is no information on the device for the hacker to steal.
Hope this helped,
- how do you get PII from a person there self.(7 votes)
- nooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooioooooooooooooooooooioooooooooooooooooooooooooooooioooooooooooooooioooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo(2 votes)