SBN

Does osquery violate GDPR rules around Personally Identifiable Data (PII)?

AHHHH! GDPR day is upon us!

If you’ve used a service or signed up for anything ever in your life then you’ve surely noticed the onslaught of “Terms of Privacy Update” emails over the last couple of days. That could only mean one thing: GDPR implementation day has finally arrived! But for all the unavoidable noise around GDPR, we couldn’t help but notice a lack in any advice or documentation about osquery and its link to Personally Identifiable Information (PII) — a focal area in the GDPR regulation (here’s a “handy” 100 page reference guide on GDPR). So, let’s get right to it then.

GDPR DAY HAS ARRIVED!

Does osquery reveal any Personally Identifiable Information (PII)? 

A good place to start is to more precisely define what is PII data, for which we turn to NIST publication 800 – 122 (https://csrc.nist.gov/publications/detail/sp/800-122/final), as authoritative source as any. It defines PII as any information that can be used to distinguish, trace, or be linked to an individual. Information like names, drivers licenses, biometric information etc. can be used to distinctly identify, or distinguish, an individual. Payment transaction data can be used to trace the activity of an individual. And finally, even seemingly anonymous data – such as a to-do list with no direct PII data – may be easily linkable to an individual if some of the items on the to-do list are so role specific that they leave little doubt who the list belongs to. So, PII data (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Milan Shah. Read the original post at: https://www.uptycs.com/blog/does-osquery-violate-gdpr-rules-around-personally-identifiable-data-pii