Connect with us

Hi, what are you looking for?



Redefining PII as We Trade Convenience for Risk in a Contactless World

Since the beginning of the COVID-19 pandemic, my favorite restaurant in my little neighborhood in Seattle has undergone some operational changes. 

The only way to order there now is through the virtual menu on the restaurant’s website. They prepare the food back in the kitchen, and someone just brings it out to your table. 

Since the beginning of the COVID-19 pandemic, my favorite restaurant in my little neighborhood in Seattle has undergone some operational changes. 

The only way to order there now is through the virtual menu on the restaurant’s website. They prepare the food back in the kitchen, and someone just brings it out to your table. 

I know everybody on the staff, but I’ve hardly seen them in months. The manager still comes around to check on the tables and banter. But overall, the staff are optimized for much less human interaction. It definitely changes the dining experience.

The same theme is playing out across a number of life’s little touchpoints. It’s not just masks and social distancing. In ways large and small, there’s been a broader social shift toward a reliance on virtual processes.  

In the morning, if you like, you can preorder your coffee. When you get there, you’ve already paid. You’ve already tipped. Someone brings it out to you. Your name is probably even spelled correctly. (Maybe they’ll bring back some of those robot baristas.) 

Whether movie theaters ever come back full strength remains to be seen, but we already have virtual ticketing. You may walk into the theater, find your popcorn and drinks ready for pickup, see the movie in your isolated area, and leave without ever talking to anyone. 

When you go to the store for groceries, you may just fill your bag with items marked by RFID tags that supply the product and pricing information. They’re connected to a back-end payment system that automatically charges you via a wireless payment format like Apple Pay—not only cashless, but entirely touchless.

Advertisement. Scroll to continue reading.

Over the past several weeks, we’ve talked about the changes to education, healthcare and retail as similar stories play out across industries. But what does it all mean for each of us as individuals, navigating this contactless world?  

From a security perspective, the biggest issue may be that your digital footprint is now a digital vapor trail. Everywhere you go, you cast a shadow of data that, taken together, reveals who you are, what you like to do, your habits, your addictions. 

There has long been a tension between our willingness to give up personal information, security and privacy and our desire for convenience. Now maybe the tables have turned. Convenience has become necessity. And after a while, people just get comfortable with what comes with it. 

In the U.S. at least, we’ve long considered “personally identifiable information” to be the hard stuff: Social Security numbers, driver’s license and passport numbers, full names, bank accounts. But Europe’s GDPR is more in line with what PII will mean in this contactless world. 

Per Article 4, in addition to those traditional measures of PII, “personal data” also includes “… one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The EU has done a great deal of work to understand what kinds of data really are “personal” and should be protected under the law. In other regions around the world, however, privacy seems to be of little concern. 

It bears looking into in the U.S. as we continue to adapt to more complex situations driven by apps. In doing so, we’re increasing the size and complexity of that data vapor trail, and this will only strengthen the ability for companies, government entities and malicious actors to view people’s spending patterns and to anticipate their wants and needs. 

At the same time, 5G is being deployed, edge computing is on the rise and real-time analytics is proliferating. Your data is going to be leveraged in real time. Retailers and attackers alike may know what bourbon you drink and your favorite dessert. They’ll know you like to eat peanut butter cups at least once a month. A personal chef might not have as much intel. At what point do your likes, dislikes and habits become “personally identifiable information”?

Now when you get home, you see an email offering free peanut butter cups. Suddenly, you are more susceptible to a phishing attack than ever. You think it’s just a targeted ad. You’re so used to that level of personalization, you don’t even think about the risk as you open the mail.

Hackers might know not only what you like, but also where you’ll be, enabling location-based phishing or other attacks as well. It’s a whole new level of triangulation that’s not just targeting high-value government employees, but anyone with a seemingly healthy bank account. 

We’ll see how many of these processes return from the virtual world to the physical world over time, but those virtual processes are likely here to stay regardless. As a result, your PII is becoming a much richer source of information about you, and potentially much more dangerous. 

How the security community and policymakers react to this shift will determine whether this expanded concept of PII is simply enabling new forms of consumer convenience, or something more dystopian.  

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.