Redefining PII as We Trade Convenience for Risk in a Contactless World
Since the beginning of the COVID-19 pandemic, my favorite restaurant in my little neighborhood in Seattle has undergone some operational changes.
The only way to order there now is through the virtual menu on the restaurant’s website. They prepare the food back in the kitchen, and someone just brings it out to your table.
I know everybody on the staff, but I’ve hardly seen them in months. The manager still comes around to check on the tables and banter. But overall, the staff are optimized for much less human interaction. It definitely changes the dining experience.
The same theme is playing out across a number of life’s little touchpoints. It’s not just masks and social distancing. In ways large and small, there’s been a broader social shift toward a reliance on virtual processes.
In the morning, if you like, you can preorder your coffee. When you get there, you’ve already paid. You’ve already tipped. Someone brings it out to you. Your name is probably even spelled correctly. (Maybe they’ll bring back some of those robot baristas.)
Whether movie theaters ever come back full strength remains to be seen, but we already have virtual ticketing. You may walk into the theater, find your popcorn and drinks ready for pickup, see the movie in your isolated area, and leave without ever talking to anyone.
When you go to the store for groceries, you may just fill your bag with items marked by RFID tags that supply the product and pricing information. They’re connected to a back-end payment system that automatically charges you via a wireless payment format like Apple Pay—not only cashless, but entirely touchless.
Over the past several weeks, we’ve talked about the changes to education, healthcare and retail as similar stories play out across industries. But what does it all mean for each of us as individuals, navigating this contactless world?
From a security perspective, the biggest issue may be that your digital footprint is now a digital vapor trail. Everywhere you go, you cast a shadow of data that, taken together, reveals who you are, what you like to do, your habits, your addictions.
There has long been a tension between our willingness to give up personal information, security and privacy and our desire for convenience. Now maybe the tables have turned. Convenience has become necessity. And after a while, people just get comfortable with what comes with it.
In the U.S. at least, we’ve long considered “personally identifiable information” to be the hard stuff: Social Security numbers, driver’s license and passport numbers, full names, bank accounts. But Europe’s GDPR is more in line with what PII will mean in this contactless world.
Per Article 4, in addition to those traditional measures of PII, “personal data” also includes “… one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The EU has done a great deal of work to understand what kinds of data really are “personal” and should be protected under the law. In other regions around the world, however, privacy seems to be of little concern.
It bears looking into in the U.S. as we continue to adapt to more complex situations driven by apps. In doing so, we’re increasing the size and complexity of that data vapor trail, and this will only strengthen the ability for companies, government entities and malicious actors to view people’s spending patterns and to anticipate their wants and needs.
At the same time, 5G is being deployed, edge computing is on the rise and real-time analytics is proliferating. Your data is going to be leveraged in real time. Retailers and attackers alike may know what bourbon you drink and your favorite dessert. They’ll know you like to eat peanut butter cups at least once a month. A personal chef might not have as much intel. At what point do your likes, dislikes and habits become “personally identifiable information”?
Now when you get home, you see an email offering free peanut butter cups. Suddenly, you are more susceptible to a phishing attack than ever. You think it’s just a targeted ad. You’re so used to that level of personalization, you don’t even think about the risk as you open the mail.
Hackers might know not only what you like, but also where you’ll be, enabling location-based phishing or other attacks as well. It’s a whole new level of triangulation that’s not just targeting high-value government employees, but anyone with a seemingly healthy bank account.
We’ll see how many of these processes return from the virtual world to the physical world over time, but those virtual processes are likely here to stay regardless. As a result, your PII is becoming a much richer source of information about you, and potentially much more dangerous.
How the security community and policymakers react to this shift will determine whether this expanded concept of PII is simply enabling new forms of consumer convenience, or something more dystopian.