topic Re: Derived PII in Privacy

Derived PII

CV_SEC — Wed, 26 Aug 2020 15:50:01 GMT

OK, so having an episode of old-timers today. What is the proper term for a set of data that collectively constitutes PII? For example, the individual data points alone are not PII, but collectively, provide a picture that is "linkable" to an individual? PII that is derived from the sum of non-PII data.

Thanks!

Re: Derived PII

rslade — Wed, 26 Aug 2020 17:39:12 GMT

> CV_SEC (Newcomer I) posted a new topic in Privacy on 08-26-2020 11:50 AM in the

> OK, so having an episode of old-timers today. What is the proper term for a set
> of data that collectively constitutes PII? For example, the individual data
> points alone are not PII, but collectively, provide a picture that is "linkable"
> to an individual? PII that is derived from the sum of non-PII data.

Other than just PII or de-anonimized I can't think of any particular term.
Inference and amalgamation attacks are pretty much as old as databases
themselves ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
I used to worry about robots becoming self-aware & taking over
the world. Then I tried to use a motion sensor faucet.
- https://twitter.com/philipnation/status/564496243762937856
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Derived PII

CV_SEC — Wed, 26 Aug 2020 17:51:40 GMT

Thanks for the quick reply. I've discussed the topic many times but never had anyone ask me for the exact term.

Re: Derived PII

tmekelburg1 — Wed, 26 Aug 2020 18:00:55 GMT

I found this in NIST SP 800-122

"PII data composed of individuals‘ names, fingerprints, or SSNs uniquely and directly identify individuals,
whereas PII data composed of individuals‘ ZIP codes and dates of birth can indirectly identify individuals
or can significantly narrow large datasets"

I didn't find anything specifically to what you're after but somebody else might find it.

Re: Derived PII

MikeinGlennDale — Wed, 26 Aug 2020 19:47:32 GMT

Aggregated

Re: Derived PII

rslade — Wed, 26 Aug 2020 21:52:12 GMT

> MikeinGlennDale (Viewer) posted a new reply in Privacy on 08-26-2020 03:47 PM in

> Aggregated

That's the one. Sorry.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Freedom isn't worth having if it doesn't include the freedom to
make mistakes. - Mahatma Gandhi
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Derived PII

tmekelburg1 — Wed, 26 Aug 2020 22:16:01 GMT

Do we have a source or security framework that specifically references PII and aggregate being connected as such? I only ask because aggregate can be applied to all types of data or information when collecting it in one spot.

Re: Derived PII

MikeinGlennDale — Thu, 27 Aug 2020 10:47:12 GMT

Hi there, @tmekelburg1 the answer I gave about data aggregation and derived PII is based on personal experience. I'm pretty sure that was the term my new friends @CV_SEC were looking for. I was just trying to update my CPE's and then I saw the message board and was like oh he's trying to think of Aggregate LOL.

The best relatable I can think of is the Cambridge Analytica data analytics. They took individual data points for use with influencing outcomes specified by the Cambridge Analytica customers. Recommend the Netflix documentary The Great Hack for the details about methods, and techniques.

There is a case to be made that data in aggregate has a higher "value" than independent data points. Is there a correlation in value / sensitivity? In the late 1990's Netscape (the web browser company) was among the first to monetize data about a customer. They could charge something like $50 for a collection of data points aggregated with a high degree of confidence that those individual data points when taken in aggregate form a whole person.

The invented term PII is arguable treated as more sensitive data than traditional sensitive data types. So...back to the original question about Derived PII. While not an answer to a test question exactly I would like to hear other thoughts about the subject matter.

@tmekelburg1 you made reference to inference attacks in databases and I think that hits the mark accurately. I'm not sure if this message board is designed to help people study and pass exams or if it's intended to share real world experience and examples.

Re: Derived PII

tmekelburg1 — Thu, 27 Aug 2020 13:20:40 GMT

@MikeinGlennDale wrote:
I'm not sure if this message board is designed to help people study and pass exams or if it's intended to share real world experience and examples.

I like to think of this place as a way to 'aggregate' theory with real world experience and examples. Also, Welcome! Stick around and share occasionally.

Re: Derived PII

MikeinGlennDale — Thu, 27 Aug 2020 20:10:22 GMT

Appreciate the welcome @tmekelburg1. Sure, I'll give it a shot.

Re: Derived PII

PuettK — Thu, 27 Aug 2020 21:59:15 GMT

The term you are looking for is aggregate or combinal data. At what point to you continue adding data where the entire set is now PII. In education, FERPA has a rule that you don't take data sets with a group of less than 10. It prevents derived PII instances.