37

Personally Identifiable Information (PII) is defined (the example below is from NIST) as (emphasis mine)

Information that can be used to distinguish or trace an individual's identity, such as name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

How should this be interpreted in the case of a single phone number, not associated to a name?

In other words, if an application is sending bare phone numbers to a server (I am looking at you WhatsApp) without the name of the number owner, is that number still PII?

EDIT: Jonah Benton gave in his answer a very nice summary of the question, I quote him for the sake of clarity

(...) the question refers to a practice where an app on a user's phone gets access to contacts (...) on the phone and uploads all phone numbers to the server without also uploading the names associated with those numbers (despite having access to them.)

Are these uploaded bare numbers, without names, considered PII?

Community
  • 1
WoJ
  • 8,957
  • 2
  • 32
  • 51
  • What exactly is WA doing? Where is it getting these numbers from? – Jonah Benton Jul 03 '18 at 11:29
  • @JonahBenton: it is getting the number of the mobile on which the app is installed **and** the phone numbers in the contacts. The privacy policy states that only numbers are sent, thus my question. – WoJ Jul 03 '18 at 15:42
  • yeah, ok, this is the scenario i hypothesized, so see my answer below. in the scheme of things, that data should be considered pii. – Jonah Benton Jul 03 '18 at 15:46
  • 1
    Quoting from the [Personally identifiable information of Wikipedia](https://en.wikipedia.org/wiki/Personally_identifiable_information#NIST_definition): *The following data, often used for the express purpose of distinguishing individual identity, **clearly classify as PII** under the definition used by the National Institute of Standards and Technology (described in detail below): ... Telephone number ...* – Bakuriu Jul 03 '18 at 17:48
  • 1
    If it helps, I think a better name for *"personally identifiable information"* would have been *"personally **identifying** information"*. – user541686 Jul 04 '18 at 05:38
  • @Mehrdad but that would be incorrect. "Personally identifying information" is information that identifies a single person. "Personally identifiable information" is information, that, in combination with other information, makes it possible to identify a person. So "personally identifying information" is a strict subset of "personally identifiable information" and thus not equivalent. – Josef Jul 04 '18 at 09:23
  • @Josef: Well there was a reason I didn't claim it was a perfect name. I'm just saying it would be way more accurate since currently the name PII is rather bizarre on its face and suggests the entity being identified is the information (...by the person...?), not the person (by the information). – user541686 Jul 04 '18 at 10:35
  • I think the question really misses the point. What is under discussion is not "standalone" or "single" phone numbers, but numbers assembled into meaningful groupings. – Ben Voigt Jul 05 '18 at 03:22

6 Answers6

46

It depends. Could this number linked to a single person? (e.g. it is your cell number and if I know this number is in a database and know it's yours, then I know you are in that DB)

Then yes.

If this is not possible (e.g. it is the central call in number of a big corporation that is connected to any available agent) then no.

If you only have phone numbers without further information about them, you have to assume it is PII, because you don't know if a number belongs to an individual or not.

Josef
  • 5,903
  • 25
  • 33
  • 1
    So, you're saying that if it's a personal number, that it is PII, because someone might recognize it? – jpaugh Jul 03 '18 at 14:03
  • 27
    No, what I am saying is **if it can be used to distinguish or trace an individual's identity** then it is PII! This is the case if a mapping from number-> person exists. Even if no one could recognize it but it belongs to a individual, it is PII. – Josef Jul 03 '18 at 14:05
  • @Josef How is that different from what jpaugh said? Such a mapping must exist for all personal numbers, because at the least the provider has such a mapping. But how is this useful for distinguishing or tracing an individual's identify if nobody recognizes it - isn't this recognition part of the mapping process, meaning somebody outside the provider has obtained or recognized this mapping? – Michael Jul 03 '18 at 19:54
  • 1
    @Michael the case is where the number by itself is enough to act as an identifier – schroeder Jul 03 '18 at 20:07
  • 3
    @Michael You can use that number to track an individual across a number of 'contacts' (in the radar sense): That number contacted this number at this and this time, that number registered to this cell tower at this time, etc. With enough observations, this pattern characterises a single individual, even if you do not happen to know their name. In fact, that's exactly the way IMSI-catchers on drones are being used. As another analogy, consider a photograph of one's likeness: It can clearly be a personally identifiable information, even if you don't have a way to look up the person's name. – Relaxed Jul 03 '18 at 20:21
  • 1
    @Relaxed Gotcha... it seems to be more of a case of, "this number is PII at such time that we can cross the gap of mapping it to an individual before which it's PII just without a name" which may be done via inference given enough other points of data associated with it. To look at it from another point of view, if you send your attorney to contest a photo traffic violation and the company issuing the ticket doesn't have access to associate your face with a name, they can't prove the two are related, but if you show up to court yourself that association is revealed. – Michael Jul 03 '18 at 20:27
  • 1
    It is worth noting that it would be difficult (probably prohibitively) for any computer application storing the number to verify it falls into the latter category, in which case the OP is best off assuming that somebody will enter a number that can identify them. In other words, it's better to err on the side of caution if developing an app. – jpmc26 Jul 03 '18 at 23:43
  • @jpmc26 Of course. if you just have some phone numbers without further information (e.g. the address book of a mobile phone without names) you have to assume the numbers are PII. Only if you intentionally build a list of support numbers of companies or something similar it is possible to assume the numbers are not PII. – Josef Jul 04 '18 at 07:56
  • @Michael The difference is, I could buy an anonymous prepaid sim card today and start using it. If I don't give this number to anyone, no one can recognize it is my number. Not even the network operator knows my name because I just paid cash. Still, if someone would collect all the metadata and only I use the card, it could be used to identify me later. (I mostly sleep in my flat at night and work at my office during the day, I might call friends sometime...) – Josef Jul 04 '18 at 07:59
16

I don't use WA, so don't know specifically what practice the question refers to, but let's assume that the question refers to a practice where an app on a user's phone gets access to contacts and text history on the phone and uploads all phone numbers to the server without also uploading the names associated with those numbers (despite having access to them.)

Are these uploaded bare numbers, without names, considered PII?

Yes, absolutely.

The server isn't collecting number sequences at random, using them to populate a model of some kind, and then discarding them.

It is building a durable data structure that has entities that are intended ultimately to map to humans, and storing those numbers as metadata with those entities. (Key test- when a contact on the phone has 2 numbers, are those 2 numbers somehow associated with the same durable entity server-side?)

The fact that at a particular zoomed in point in the overall architecture at a particular point in time there isn't a name directly stored with the number in a relational db row is irrelevant.

In the big picture architecture, comprising both client apps and the server, and both the data flows currently in place as well as the data flows that could reasonably easily be put in place without user action- eg an app update that collected names as well could be trivially rolled out without user knowledge or additional permission- big picture, this is an architectural graph that has PII.

PII is a forest-level concern, not a tree-level concern.

Jonah Benton
  • 3,359
  • 12
  • 20
  • Your first paragraph exactly describes the situation. But then you assume that at some point there will be a mapping between a specific, named individual and the number, which according to WA is not the case. On the other hand - the number is unique to a person, which means that WA knows what user87989 is doing, without knowing that user87989 is actually John Brown. Which, per literal reading of the PII and other answers still means that this is indeed a PII. – WoJ Jul 03 '18 at 15:47
  • 1
    Yes. The definition of PII is intended to be expansive- because it's about privacy. And once permission is given to the app to retrieve contacts information, the fact that the app at this moment in time decides not to retrieve contact name, only number, is immaterial. Once it has permission, it can retrieve name and anything else at any time. – Jonah Benton Jul 03 '18 at 15:54
  • 1
    The other point is- the name a user has entered into their contacts for a given number is often a nickname or shorthand or something that uniquely characterizes the relationship, but is not authoritative from an identity perspective. There are plenty of services that FB can give a number to and get quantities of authoritative identity data for. So if the assertion that names are not pulled from contacts, only numbers, is made on privacy grounds, well, that's at best deceptive. – Jonah Benton Jul 03 '18 at 16:18
11

PII is anything that directly or indirectly can be associated to a person based on Regulation 2016/679 of the European Parliament.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

From the definitions section of the aforementioned regulation

Because you can correlate a phone number with a person (owner of the contract) and that number might be unique to that person you should consider it as PII information.

I am saying this as precaution as you never know if it is a public phone number, shared phone or any other use case.

In many cases even if shared number it is still possible to correlate it to a person.

The only one that is not possible is the public phones.

Because we do not know this we cannot take the risk of relaxed security in all other phone numbers that might be uniquely associated to a specific person.

IP address can be also be PII, because we do not know if is a proxy or a router at some home we should treat them as equal.

A more simplistic explanation can be found in the bellow link from the European parliament with examples.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

Hugo
  • 1,701
  • 11
  • 12
8

Yes

Clearly and fundamentally, without any doubt; and with especially strong implications when used in a Social Media context like WhatsApp.

The issue is not whether WhatsApp links this phone number to some name when sending it to their server. The issue is that the information itself (the phone number) is linked to you, a person. PII is not so much about usage, and more about the static information content of some data.

Sure, there are degrees in this. For example, birth dates. If I take a sample of just a random birth date (without any attached information) from one person I meet on the busiest street of a city of 10 million inhabitants, then this birth date probably does not help me identify the person later. But if I do the same in a small classroom, it is highly likely that I can do so. (Birthday paradox nonwithstanding.)

In the case of the phone number, or a social identification number etc., the case is crystal clear - I can immediately identify the single person on the world related to that number (maybe from a phone book, maybe just by calling and getting their name if they don't watch out).

Potentially ominous scenarios for using such bare phonenumbers are plenty; e.g. profiling (by matching with other records that contain the number); discovering groups of people (by grabbing a set of numbers that are somehow grouped inside the application) ; etc.

Community
  • 1
AnoE
  • 2,370
  • 1
  • 8
  • 12
1

The majority of phone-numbers are linked to unique persons (e.g. their mobile, desk or home), making a phone-number a unique identifier number pointing to a single person.

You could also argue that some phone-numbers are obviously not coupled to a person, but since the percentage of numbers that do largely outnumber the numbers that don't. (Since 2005 fixed phone-lines are on the decline and mobile-phone usage is on the rise, with currently 67% of the world population having a mobile-phone number.)

Phone numbers can clearly be used to re-identify a person in a later stage of data processing. If you enrich it with enough other data (e.g. subscriptions, website visits, geo-locations) you could possibly even identify the natural person. Some companies link phone-numbers to online advertisement-cookie-ids leading to very rich profiles. Online services (for example movie ticket buying service) are known sell this data as well.

Therefor I think in most cases a phone-number should be considered personal data. So always handling phone numbers as personal data seems the wise thing to do, unless you are 100% sure that you are only processing phone-numbers of public organizations for example.

Niels van Reijmersdal
  • 263
  • 1
  • 5
  • A phone number is not intrinsically linked to a person. There is no passport number which doesn't belong to a single person, but there are many phone numbers not linked to a identifiable person. And if you cite a law, it has to be interpreted in a legal context. – Josef Jul 04 '18 at 12:20
  • Removed the citation. But arguing that a phone number is not intrinsically linked to a person sounds the same as the advertisement industry has been doing for cookie-ids and IP-addresses, saying it is not a person. I think the new european laws have the intention to make any data that can re-identify a person personal. I truly believe phone-numbers should fall in the exact same category, that is why I linked to article 4: https://gdpr-info.eu/art-4-gdpr/ – Niels van Reijmersdal Jul 04 '18 at 13:28
  • 2
    You are trying to fit the situation to the definition. An "identification number" is a number used for identification. There is more than enough in Article 4 (and its recitals) to justify phone numbers as being PII, but you do not need to stretch an existing definition to get there. – schroeder Jul 04 '18 at 13:34
  • Maybe. I might be confusing an ID used for a person and an ID to identify a phone, both are an identifier, but not an "identification number" according to you. I am having a hard time finding the definition for "identification number", maybe in a English based culture it is very obvious that those words only mean things like EIN or SSN. Reading the Dutch translation and definition of the words still makes we feel a phone number would fit perfectly. It describes any number that can be used to identify people. When my wife calls me I can see it is her (phone number), that meets that definition. – Niels van Reijmersdal Jul 04 '18 at 14:30
  • 2
    @NielsvanReijmersdal I can offer my perspective as a native English speaker: "identification number" usually means a number created for the purpose of uniquely identifying a person or a thing. There are many things that you could probably use to identify a person that wouldn't typically be called identification numbers. For example, a phone number isn't an identification number because its purpose is to _contact_ a person (or a business or so on), not to _identify_ them. – David Z Jul 05 '18 at 03:24
1

Yes

A base comparison I've been using is with a client's name, does a piece of information allow me to pick out an individual better or worse than a name? You may have hundreds of 'John Smith's but you'll only ever have one individual per phone number (or, at most, a family) and, therefore, it makes it a more identifying piece of information than the person's name.

Community
  • 1
Lio Elbammalf
  • 113
  • 3