After finishing up some research on personally identifiable information I thought, mistakenly, that I was familiar with the most exotic forms of PII uncovered in recent years, including zip code-birth date, movie ratings and other consumer preference information, social network relationships, and facial images. And then I came across an article in Forbes that forced me to add one more to the list: pictures of automobile license plate numbers.
License plate numbers are themselves, of course, obvious identifiers. In theory, you can make a license plate request to a state’s department of motor vehicles—my home state of NJ lets you do just that—to request personal information, including the vehicle’s owner. But you will need a valid reason—court case, insurance, background checks, and also, interestingly, market research purposes.
What has made license plate numbers an even deeper source of personal information are networks of cameras and roving camera-equipped vehicles, good character recognition software, and large databases of license data. Not surprisingly, data brokers have entered this market. One of those brokers claims to have hundreds of millions of vehicle sightings in its databases—i.e., combinations of a license numbers and geo-coordinates.
Adam Tanner, the write of the Forbes article and also a Fellow at Harvard’s Government Department, used a license plate data broker to track the movements of two of his relatives—with their permission.
In effect, the license plate number unlocks a range of sensitive data about the individual, say medical information if the car is parked at a center specializing in cancer treatment, financial if the license number is frequently found at a company specializing in credit problems, or just merely shopping preferences based on stores or malls visited.
As we’ve seen with other types of next-gen PIIs, technology has made it possible to draw unlikely and non-intuitive connections with existing data. With a birth date and zip code, for example, a data broker can tell you name and address. Now with license plate numbers, they can provide highly granular day-to-day activities, and, as we’ve just seen, this can include very private information.
I strongly suspect that future regulations will take these results into account, and likely place stricter data privacy and security obligations on companies holding consumer data. So the question we always ask around here—“do you know your data?”—should continue to yield surprising results as researchers and others find new ways to pull personal data from what was thought to be anonymous or fairly benign information.
Image credit: Dickelbers
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael Buckbee
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.
