Federal Internet Law & Policy
An Educational Project
Privacy Notes Dont be a FOOL; The Law is Not DIY

What is Privacy

The discussion of privacy can become muddled because different participants have different conceptions of what Privacy is. [Solove 2005] The conception of Privacy in the United States is very different from the conception of Privacy in the EU. Different "privacy" laws seek to protect against very different harms. Privacy can be viewed as

What is Personally Identifiable Information (PII)

Privacy policies generally address the collection of PII. But what is PII? What information identifies an individual and what information provides no personal information? According to NIST and GAO [NIST PII 2010 p 7, & Sec. 2.2 (This definition is the GAO expression of an amalgam of the definitions of PII from OMB Memorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008)]  Office of Management and Budget (OMB) Memorandum 07-16PDF (PII is "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.")].

PII is "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." Examples of PII include, but are not limited to:

  • Telephone numbers, including mobile, business, and personal numbers
  • Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
  • Information identifying personally owned property, such as vehicle registration number or title number and related information
  • Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
  • Congress in COPPA specified what it considered PII to be, but also noted that the list was not exhaustive. CPNI also identifies what it considers PII. As technologies advance, new questions are raised about what should be added to PII. Some argue that IP numbers should be considered PII [McIntyre 2011]

    Protection / Confidentiality of PII

    The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years. Breaches involving PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds." [NIST PII 2010]

    The Federal Government has a number of documents concerning the handling of PII. [NIST PII 2010]


    Privacy Threats

    Technology that will protection you from one threat vector may not protected you from another. An email service that offers encrypted email may protect you against surveillance by an authoritarian regimes, but not as against the corporation, or as against the divorce lawyer.


    A lack of trust in the network / serviceinhibits use of the network / service.

    Privacy Protections

    Information Collection Concerns

    Looks a lot like FIPPS

    From N Doty, D Mulligan. E Wilde, Privacy Issues of the W3C Geolocation API, UC Berkeley School of Information Reports 2010-038, February 2010

    Right to Privacy / Media



    The Technology of Privacy: When Geeks Meet Wonks

    Privacy Tools

    Do Not Track

    © Cybertelecom ::