Comment by dapearce
3 years ago
> It is important to note that the exposed details do not constitute personally identifiable information, so it wouldn't be possible to use this data leak to track individuals
The data included timestamped GPS data, which has been demonstrated to be easy to de-anonymize.
Yeah, companies seem to think that "personally identifiable information" is basically just your name. That's clearly wrong because GPS data and VIN make it extremely straightforward to figure out who a car owner is.
As far as I'm concerned, this is PII. That statement is a bald-faced lie and a state AG should bring charges over this - it's extraordinarily irresponsible for Toyota to collect this data and then leak it for TEN YEARS.
"Personally identifiable information" is a legal term with a legal definition[1], and location data is not PII. Companies think that PII is basically just your name because that's literally true: PII means name and government-issued ID number. That's it. Everything else is not PII.
Relatedly, PII sucks as a basis for privacy law. The laws enshrining PII were made in response to identity theft[2], and that's the "threat model" those laws are protecting against. They do a reasonable job protecting against that threat model, but are very narrowly-focused on that threat model.
Fine-grained location data is absolutely sensitive data, and any non-braindead privacy legislation would consider it as such. The US lacks such legislation. It would be considered Personal Data under GDPR, and Personal Information under CCPA.
[1] Actually like 400 definitions in 400 different laws, but there's a lot of similarity.
[2] Specifically, the first data breach notification law was made in response to lawmakers being the victims of identity theft. This is a common thread in US privacy laws. See also Robert Bork.
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
GDPR accepts that person can potentially be identified with reference to location data.
Anyway, "Personally identifiable information" is a weird term. Person can be identifiable in various ways. Information is just information. GDPR doesn't use this term.
1 reply →
Personally identifiable information" is a legal term with a legal definition
In the U.S., the definition of PII varies depending in which federal department regulates your company.
My company's legal department recently sent down new PII rules, with links to the relevant federal agencies policies. Much purging of log files ensued.
I think most tech people would be shocked to see what very basic information some federal agencies consider PII.
That's why I think PII is a completely worthless term.
Not quite. An email address plus an address could be PII.
But the VIN number was available, as it says right below that
I mean does anyone think there HASN'T been a leak of VIN numbers and owners that would be trivial to join with this?
It's also kind of staggering how long this was a problem
Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023.
In my state, anyway, vehicle registrations are public information. If you have a VIN or license plate #, you can get the identity and address of the person the car is registered to, and if you know the name and address of a person, you can get the VINs/plate #s of the vehicles registered to them.
I don't think it's any indicative of how long this problem has been here? Unless I misunderstood, because after re-reading I guess I see how you did read it.
It could be read the other way, but the title and first sentence seems to imply that there was a bug for 10 years
Not that 10 years of data was exposed for a short period
All of five seconds. Where does the car park at night? Put the address into https://www.fastpeoplesearch.com/address
This is why I park in front of my neighbor's house. :)
While I don't do that, I do always use a nearby neighbor's address for my Google Maps directions. I'm sure Google isn't fooled but it amuses me.
I do the same thing, there's a small historic landmark several blocks from me but on the right streets to be useful for traffic scanning. I'm not really sure why I do it, it can't fool anyone, but it also amuses me slightly.
Can't believe that this stuff is legal.