3

I've had a thought rolling around in my head for the past few years about Personally Identifiable Information or PII.

Identity theft is a big business* for the bad guys. They make tons of money off the back of poor schmucks who either inadvertently give them their information (through social engineering or what have you), some sort of data spill (someone accidentally discloses the information), or through outright theft (hacking). Once the bad guys get the information, they can use it to set up fake accounts or what have you and cause all sorts of problems for just about anyone.

My thinking has been, the easiest way to combat this would be to make this kind of information worthless to anyone. I suppose it would take a complete change in the industry. My questions are:

  • Has anyone been working towards this end?
  • Could PII become worthless to data thieves?
  • If so, what is being done and what might replace PII?

EDIT:

*The Washington Post reported identity theft was a $15.4 Billion financial loss in 2014.

Pᴀᴜʟsᴛᴇʀ2
  • 139
  • 4
  • One solution is a national identity card, like e-Estonia. Tends to great objections on the basis of privacy (whether that's valid or not). A private company could do something similar; there doesn't necessarily need to be an actual card. But as identity theft is not too common, and it's businesses not individuals who (mostly) end up paying, the incentives for change are not enough. – paj28 Dec 16 '16 at 21:38
  • define "worthless" – schroeder Dec 16 '16 at 21:40
  • @schroeder - Not usable for the purposes of stealing an individual's worth (or whatever someone would want to steal from another person through the use of PII). – Pᴀᴜʟsᴛᴇʀ2 Dec 16 '16 at 21:41
  • less unbacked claims ("is a big business" etc), more well-defined terms (what's "worthless" to you) – Marcus Müller Dec 16 '16 at 21:59
  • 1
    @MarcusMüller - I'm not sure where you got the idea identity theft is not a big business, but I did post a link to something which shows huge financial losses from a respected source, as well as a comment which states what I deem "worthless" to mean in this case. – Pᴀᴜʟsᴛᴇʀ2 Dec 16 '16 at 22:22
  • I don't have the impression that it's not a big business, but that introduction really doesn't improve the quality of your question imho – it just renders my perception of your question to be even more based on an opinionated view of the problem, with a kind of conflicted definition of PII. – Marcus Müller Dec 16 '16 at 22:36

1 Answers1

1

PII is what defines an individual, and not only something that can be subject to identity theft and dark web transactions. PII includes identifiers such as social security numbers, name, address, date of birth, personal preferences, religious beliefs, finger prints, you name it. Again, everything that defines you as an individual. https://en.wikipedia.org/wiki/Personally_identifiable_information

So you can't replace PII, as long as there are individuals there will be PII. And as long as there are individuals, there will always be at least one person who cares about PII (i.e. his or her own) and values it greatly.

-- EDIT to address "what is being done" ----

There are some startups working on the idea that the individual controls his PII from a central dashboard. The idea is that any organization that wants to use those PII needs to be specifically authorized by the individual. Ideally any service providers that call on the data would never copy it and save elsewhere, but I am not sure how you could manage that from a technical stand point.

I have seen interesting implementations with a specific health care aspect: users centrally manage health care data and can control who has or no longer has access to, or consent for, using PII of the individual.

user3244085
  • 1,183
  • 6
  • 13