cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CV_SEC
Newcomer II

Derived PII

OK, so having an episode of old-timers today. What is the proper term for a set of data that collectively constitutes PII? For example, the individual data points alone are not PII, but collectively, provide a picture that is "linkable" to an individual? PII that is derived from the sum of non-PII data.

 

Thanks!

10 Replies
rslade
Influencer II

> CV_SEC (Newcomer I) posted a new topic in Privacy on 08-26-2020 11:50 AM in the

> OK, so having an episode of old-timers today. What is the proper term for a set
> of data that collectively constitutes PII? For example, the individual data
> points alone are not PII, but collectively, provide a picture that is "linkable"
> to an individual? PII that is derived from the sum of non-PII data.

Other than just PII or de-anonimized I can't think of any particular term.
Inference and amalgamation attacks are pretty much as old as databases
themselves ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
I used to worry about robots becoming self-aware & taking over
the world. Then I tried to use a motion sensor faucet.
- https://twitter.com/philipnation/status/564496243762937856
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CV_SEC
Newcomer II

Thanks for the quick reply. I've discussed the topic many times but never had anyone ask me for the exact term.

tmekelburg1
Community Champion

I found this in NIST SP 800-122

 

"PII data composed of individuals‘ names, fingerprints, or SSNs uniquely and directly identify individuals,
whereas PII data composed of individuals‘ ZIP codes and dates of birth can indirectly identify individuals
or can significantly narrow large datasets"

 

I didn't find anything specifically to what you're after but somebody else might find it.

MikeinGlennDale
Newcomer I

Aggregated

rslade
Influencer II

> MikeinGlennDale (Viewer) posted a new reply in Privacy on 08-26-2020 03:47 PM in

> Aggregated

That's the one. Sorry.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Freedom isn't worth having if it doesn't include the freedom to
make mistakes. - Mahatma Gandhi
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
tmekelburg1
Community Champion

Do we have a source or security framework that specifically references PII and aggregate being connected as such? I only ask because aggregate can be applied to all types of data or information when collecting it in one spot.
MikeinGlennDale
Newcomer I

Hi there, @tmekelburg1  the answer I gave about data aggregation and derived PII is based on personal experience.  I'm pretty sure that was the term my new friends @CV_SEC  were looking for.  I was just trying to update my CPE's and then I saw the message board and was like oh he's trying to think of Aggregate LOL.  

 

The best relatable I can think of is the Cambridge Analytica data analytics.  They took individual data points for use with influencing outcomes specified by the Cambridge Analytica customers.  Recommend the Netflix documentary The Great Hack for the details about methods, and techniques.

 

There is a case to be made that data in aggregate has a higher "value" than independent data points.  Is there a correlation in value / sensitivity?  In the late 1990's Netscape (the web browser company) was among the first to monetize data about a customer.  They could charge something like $50 for a collection of data points aggregated with a high degree of confidence that those individual data points when taken in aggregate form a whole person.

 

The invented term PII is arguable treated as more sensitive data than traditional sensitive data types.  So...back to the original question about Derived PII.  While not an answer to a test question exactly I would like to hear other thoughts about the subject matter.

 

@tmekelburg1 you made reference to inference attacks in databases and I think that hits the mark accurately.  I'm not sure if this message board is designed to help people study and pass exams or if it's intended to share real world experience and examples.  

 

 

tmekelburg1
Community Champion


@MikeinGlennDale wrote:

  I'm not sure if this message board is designed to help people study and pass exams or if it's intended to share real world experience and examples.  

 

 


I like to think of this place as a way to 'aggregate' theory with real world experience and examples. Also, Welcome! Stick around and share occasionally.     

MikeinGlennDale
Newcomer I

Appreciate the welcome @tmekelburg1. Sure, I'll give it a shot.