Don’t Let Anyone Take a Slice of Your PII
Welcome back tech readers! I was updating my health stats, namely my lower weight on my Google FitBit, and I thought that I would take the opportunity to explain what PII, or Personal Identifiable Information is. I’m aware that Google stores personal data like my total number of steps walked per day, my heartrate somewhere in their server universe, and quite frankly, I don’t care if Google knows my weight, my resting heart rate, and the number of steps I climb every day. I do care that they can link this somewhat personal data to other sensitive information about me such as my home address, my credit card number, my mobile number, my birth date. After all, I use several Google services, some of which are paid, so it makes sense that my credit card be on file (or stored somewhere in their universe.) I subscribe to YouTube Premium, and I’ve opted for the family plan. So they know who the members of my family are. They even know when everyone is home based on their mobile tracking information, or at least connected to the same home Wi-Fi network. Same with Apple, Netflix, and Facebook.
Imagine you’re at a party and there are about twenty people. Each person writes a different personal trait on 10 pieces of paper and puts it in a hat, anonymously. Let’s call this game “Guess who I am.” Someone picks one of your pieces of paper. “175lbs.” Can they be absolutely certain they can identify you? No. But they can take a lucky guess. Let’s say they pick a total of three pieces of your anonymous information as follows:
“175lbs”
“Jason Cardinal”
“Brown Eyes”
Or
“124 Main Street”
“Works for Walmart”
“Birthdate: January 15, 1975”
Or
“5 foot 6”
“Married to Jane Doe” (obviously not my spouse’s real name)
“555-438-9418” (obviously not my real phone number)
Can anyone at the party most likely figure out who you are? Absolutely! And this game is just for fun. Keep in mind there are many bad actors that you’ve never met that are constantly trying to uncover your identity through loose pieces of information about you that’s easily discoverable on the web.
The 3-Points Cardinal Rule of PII
I’ve come up with my own 3-points rule about which personal data you should safeguard:
Your sacred, private identity can be easily revealed if someone has three of any of the following data points about you. In other words, you’re easily identifiable to anyone having access to any three of these items, which should remain private to you.
- Social Insurance Number
- Telephone and/or Mobile number
- Home address
- Date of Birth
- Credit card number
- Employer
- Spouse’s name
- Mother’s maiden name
- Health card (RAMQ in Quebec)
- Credit score
- Driving Permit (reveals your home address, eye colour, and height – can be quite revealing)
- Driving record
- Criminal Record
- Email address (if it includes your name)
Someone with three pieces of your private information can find out almost anything there is about you quite simply. Services such as Canada411, Equifax, municipal property records, Facebook, Instagram, and even LinkedIn. There are even professional orders you can consult free of charge to look up accountants, architects, dentists, doctors, engineers, lawyers, notaries, and even veterinarians.
Through social engineering, it’s easy to pick up the phone and call up a company and pretend to be calling for a reference for someone or saying that your invoice was never paid, or that your banking information has changed. Almost anyone can pose as a potential employer and call a background screening service and check for credit reports and criminal records. While some of these services aren’t free, they are easily accessible to almost anyone for a small fee.
Many of us actually share this information as small business owners working out of a home office. From Google Street View you may come across the vehicle someone drives if it’s parked in a driveway (though Google makes an effort to blur license plates.)
Here’s some free but valuable advice: Take a moment and think about who has access to your Social Insurance Number. I know who I’ve provided my Social Insurance Number to. The Canada Revenue Agency, my past employer, and my bank (for loan and credit purposes.) Perhaps you’ve given out your SIN to other creditors. Who may have access to your driver’s? Perhaps you’re an Uber or DoorDash driver. They must have a copy of your driver’s permit and driving record. Who has access to your health card? Perhaps you’ve had some private blood tests or CT scans in a private lab. Did they ask for your health card?
Closing Advice
- Using Credit Cards Online – obtain a low credit limit card that you’ll only use for online subscriptions; keep it separate from your “main” credit card
- Home address – if you work from home and you’re promoting your snow-removal or landscaping services, consider a PO box or virtual address. https://www.canadapost-postescanada.ca/cpc/en/personal/rent-post-office-box.page
- Email addresses – get an anonymous email address, or one-time use email address. Try Apple’s Hide My Email feature. You can find more information here: https://support.apple.com/en-ca/105078
If you’re going to let someone have a slice of your PII, make sure you’re not left with the crust. Stay tuned and thanks for reading.
