Workshop on Interdisciplinary Studies in Information Security and Privacy
“The Challenge of Personally Identifiable Information in a Networked Society”

“Personally Identifiable Information, …and Privacy[is] like Oxygen: you truly do not prize what you have until it is gone”

"The debate over what constitutes personally identifiable information is the "hardest question…There's a grey area in between [the obvious cases], and that's what we're struggling with right now" Peter Fleischer, Google's global privacy counsel March 26, 2008

Rationale behind Panel

There is manifold evidence that privacy is being challenged today. A series of “data leakage” incidents have been reported in the media, and have raised public concerns about the way in which personal identifiable information (PII) is being stored, and shared.  Similarly, PII is increasingly being collected for the purpose of targeting specific or behavioral advertising to individuals, while social networking Web sites where users disclose PII voluntary have enjoyed "dramatic" growth. Subsequently, a number of public opinion polls have registered strong privacy concerns.

One of the most serious (yet perhaps most unrecognized) challenges to privacy as a result of technology is posed by the blurring boundary between identifiable and non-identifiable information. Traditionally, the literature on privacy has emphasized a distinction between personally identifiable information (PII) (information that can be traced to a particular person and is therefore deserving of protection) and non-identifiable information that does not require protection. Increasingly, data that might have earlier been considered anonymous can now be linked to specific identities and individuals. One frequently cited example is the use of cookies and “anonymous” IP numbers to identify and track on-line behavior. The fact that the European Union, and now also the New Jersey Supreme Court , have stated that IP addresses are personal information confirms this development.

Another worrying development is associated with the growing secondary use of PII, which raises many questions about consumer control over their personal information. Data is increasingly collected for one purpose, and then re-purposed in a manner that the original provider of the data could never have foreseen. This has been exacerbated by the rise of an extensive industry of “data aggregators” and “data brokers” which packages and resells information gathered from consumers to end-users that include the private sector and the government. A key concern is that the “data chain”—which moves from consumers to final end-users—is getting increasingly difficult to monitor.

As data is packaged and re-packaged, it becomes virtually impossible to know how that data is used, and to ensure that initial privacy protections designed for consumers are in fact respected by end-users.

These ongoing changes in the personal information landscape are increasingly out of step with existing policy principles, practices and policies. 

Is PII an oxymoron in a networked environment? What is “identifiable” and what is not?  Does the distinction between primary and secondary use still make sense? What are the consequences of this blurring for “protecting PII” from a policy and technology perspective? Is de-identification impossible? Do we need to re-invent privacy and security practices? Do we need a new paradigm of personally identifiable information?

These are some of the questions that this panel will try to address. The panelists will be a mix of representatives from industry, civil society and government as well as academics. The panel will also reflect the need to consider these privacy and security questions from an interdisciplinary perspective, including law, policy, technology, psychology and economics.  Finally, the panelists will also be asked to reflect on current and future research priorities in the area of privacy and security.