2

European Union is one of the most regulated places on how to deal with Personally Identifiable Information.

I was going to answer this question by saying that he had to hash the user password because of EU regulations, but I am not so sure.

So, of the login information/metadata below, what falls under EU PII regulations?

  • Username (email)
  • Password
  • Secret questions and answers
  • Phone number (for two-factor authentication)
  • IP addresses the user has logged in from
Community
  • 1
Mindwin
  • 1,118
  • 1
  • 8
  • 15

1 Answers1

3

A password is not considered PII because it's not something that can be used to identify a person. By contrast, all the others you're listing can be used to do that.

Also, notice there are different levels of PII. An email and phone number have a 1:1 relation with an identity, while a pair secret question-answer and a IP address might not be directly linked to a user's identity. These latter are considered so-called "linkable-PII", meaning that can be used to assist in the identification of an identity but can't be used to establish a 1:1 relationship.

In fact, the PII in EU is more complicated than just list what is considered PII and what is not. Although the EU has its "region-wide" regulations, there are also country-specific restrictions. For example, as far as I know, in Germany an IP address is considered as critical as a social security number.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • Are you sure about the password? What if my password is something like my social security number or phone? People do use those sometimes... – Ohad Schneider Aug 12 '17 at 10:22
  • @OhadSchneider the difference here is that a password is something that you choose. If you decide to use a password with your social security number or phone, that's your own problem, but that doesn't make a password a PII, that just show that you, as user, don't follow basic password security guidelines – The Illusive Man Aug 13 '17 at 00:54