Blinding Identity Taxonomy

The BIT Report is an official Kantara Initiative report (PDF format / HTML format

OCA capture bases contain a "pii_attributes" flagging block to enable schema issuers to flag attributes that could potentially unblind the identity of a governing entity. In order to establish commonality across Working Groups (WGs), Task Forces (TFs), and Focus Groups (FGs) at Trust over IP, the BIT fields and notes are defined below for general reference.

BIT Fields & Notes

The field(s) below may be represented by single or multiple fields in your application. The overall suggested approach is to be conservative. When reviewing the contents of your dataset against the taxonomy, you should encrypt if the taxonomy might apply, rather than taking a narrow approach. You may find that a field in your dataset might fall within more than one category. That is to be expected as the definitions are somewhat, and intentionally, fuzzy. More precise or prescriptive definitions are the purview of profiles and schemas, where the population of possible field categories can be prescribed or defined more precisely.

#Field CategoriesNotesDPV Entries
1NamesThis includes, but is not restricted to: First Names, Last Names, Full Names, and Entity Names.dpv:Name
2Physical Address(es)
dpv:PhysicalAddress
3E-mail Address(es)
dpv:EmailAddress
4Telephone Number(s)
dpv:TelephoneNumber
5Postal Code(s)May be included with Physical Address.
6Personal Software Application Handles This is a variant on Name. Example sources include Skype, Slack, RocketChat, etc.
7Profile Pages

8Passport Numbers
dpv:OfficialID
9Social Security Numbers

10National Insurance Numbers

11Driving License Numbers

12Vehicle Registration Numbers

13Bank Account Numbers
dpv:FinancialAccountNumber
14Financial Institution Card NumbersThis includes but is not restricted to credit or debit card numbers.dpv:CreditCardNumber
15Personal Identification Numbers (PINs)
dpv:PINCode
16Private Keys / Master Keys

17Symmetric Keys

18Public Keys

19Link Secrets
dpv:SecretText
20Decentralized Identifiers (DIDs)See https://w3c.github.io/did-core/  dpv:UID
21Employee IdentifiersThis may include identifiers from benefits providers like pension plans.
22Account Identifiers
dpv:AccountIdentifier
23Government IdentifiersNumbers, cards or other artefacts issued by a government to a natural person or entity.
24Membership Identifiers Examples include but are not restricted to membership in a political party, trade union, fraternal order, survivors groups, or email lists.
25Institutional Identifiers Examples include private health care providers, private clubs, and so on.
26Case IdentifiersExamples include Case ID Numbers, Benefit Plan Participation Identifiers, and so on.
27User IdentifiersExamples include User IDs, logins, and so on.dpv:Username
28Passwords
dpv:Password
29SignaturesAnalog or Digitaldpv:SingleSignOn
30Digital CertificatesEven where a certificate is published and publicly available.dpv:ProfessionalCertification
31PhotosWhen encrypting files, examine whether the file name should also be encrypted.
32VideosWhen encrypting files, examine whether the file name should also be encrypted.
33ImagesWhen encrypting files, examine whether the file name should also be encrypted.dpv:Picture
34Vocal Sound BitesWhen encrypting files, examine whether the file name should also be encrypted.dpv:VoiceCommunicationRecording, dpv:VoiceMail
35Dates and timestamps[1]Examples include Date of Birth[2], transaction dates, and so on.

dpv:AuthenticationHistorydpv:CallLogdpv:PaymentCardExpirydpv:Transaction

36Genetic IdentifiersThis includes but is not restricted to chromosomal, deoxyribonucleic acid (DNA) and ribonucleic acid (RNA) data.dpv:DNACode
37Biometric IdentifiersThis includes but is not restricted to voiceprints, iris scans, facial imaging and dactyloscopic (fingerprint) data.dpv:Fingerprint, dpv:Retina
38Internet Protocol (IP) Addresses
dpv:IPAddress
39Media Access Control (MAC) Addresses
dpv:MACAddress
40Service Set Identifiers (SSID)This includes local WiFi SSIDs.
41Bluetooth Device Addresses (BD_ADDR)

42Locational Information This includes Global Positioning System (GPS) or other coordinates, 3-word addresses, and so on.dpv:GPSCoordinate
43Cookie Browser Identifiers
dpv:BrowserFingerprint
44Radio Frequency Identifiers

45IoT Identifiers (incl. smart meter data)

46International Mobile Equipment Identity (IMEI)

47International Mobile Subscriber Identity (IMSI)

48Social media posts and commentsThis kind of field may need to be parsed and/or tokenized as part of the blinding processdpv:SocialMediaCommunication
49Free-Form Text Fields / Unstructured Data[3]This kind of field may need to be parsed and/or tokenized as part of the blinding processdpv:EmailContent

[1] Not all captured dates will reveal a person or entity’s identity but some will so if in doubt, encrypt.

[2] In some use cases, this can be avoided by using only the Month, or Month/Year of birth, but only if this can be validated.

[3] Text which does not have a given structure, nor which is entered in any specific format. Note: All free-form text fields should be encrypted.