Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

New PII Discovered: License Plate Pictures

Data Security

After finishing up some research on personally identifiable information I thought, mistakenly, that I was familiar with the most exotic forms of PII uncovered in recent years, including zip code-birth date, movie ratings and other consumer preference information, social network relationships, and facial images. And then I came across an article in Forbes that forced me to add one more to the list: pictures of automobile license plate numbers.

License plate numbers are themselves, of course, obvious identifiers. In theory, you can make a license plate request to a state’s department of motor vehicles—my home state of NJ lets you do just that—to request personal information, including the vehicle’s owner. But you will need a valid reason—court case, insurance, background checks, and also, interestingly, market research purposes.

What has made license plate numbers an even deeper source of personal information are networks of cameras and roving camera-equipped vehicles, good character recognition software, and large databases of license data. Not surprisingly, data brokers have entered this market. One of those brokers claims to have hundreds of millions of vehicle sightings in its databases—i.e., combinations of a license numbers and geo-coordinates.

Adam Tanner, the write of the Forbes article and also a Fellow at Harvard’s Government Department, used a license plate data broker to track the movements of two of his relatives—with their permission.

In effect, the license plate number unlocks a range of sensitive data about the individual, say medical information if the car is parked at a center specializing in cancer treatment, financial if the license number is frequently found at a company specializing in credit problems, or just merely shopping preferences based on stores or malls visited.

As we’ve seen with other types of  next-gen PIIs, technology has made it possible to draw unlikely and non-intuitive connections with existing data. With a birth date and zip code, for example, a data broker can tell you name and address. Now with license plate numbers, they can provide highly granular day-to-day activities, and, as we’ve just seen, this can include very private information.

I strongly suspect that future regulations will take these results into account, and likely place stricter data privacy and security obligations on companies holding consumer data. So the question we always ask around here—“do you know your data?”—should continue to yield surprising results as researchers and others find new ways to pull personal data from what was thought to be anonymous or fairly benign information.

Image credit: Dickelbers

Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.