How do I avoid giving all users access to PII of other users in the system?

Question

I'm working on a project that uses JWTs for auth and I have removed all PII from the JWT, only leaving the userId in it. I have an API for users that allows any authorized user to retrieve all users (with searching) or a single user (by their id) from the system. This API returns their name, email, mobile and more.

Is it fine to implement it in this way? Won't any one who has access to the JWT be able to access all the PII from the system? While its true for all the other things in the API as well (products and etc.), isn't it better to hide as much user info as possible?

My current implementation is as I said above. I'm just wondering if this is an okay way to implement this. If not, how do I allow to retrieve user information from the API while also protecting user information?

Answer 1

The question "Is this OK?" requires considering the standards, best practices, and regulations pertaining to data privacy and security.

If your platform explicitly states during the login process or in its terms of service that user information, such as email and other details, will be publicly available on the site, then exposing such information through the API could be considered acceptable. However, it is crucial to ensure that users are adequately informed about this practice and have given their consent.

On the other hand, if your privacy policy or terms of service assure users that their private information will be protected, then it is not advisable to expose user information to any logged-in user without implementing protective measures.

In general, adhering to established data privacy regulations, such as the General Data Protection Regulation (GDPR) or other applicable laws in your jurisdiction, is essential. These regulations often require obtaining explicit consent from users before disclosing their personal information and implementing appropriate security measures to safeguard their data.

In your current implementation, where you have removed personally identifiable information (PII) from the JWT but still expose user information through the API, there is a potential risk of unauthorized access to sensitive user data. While it is true that anyone who possesses the JWT can access the API and retrieve user information, it's generally considered good practice to minimize the exposure of sensitive data.

To address this concern and enhance the protection of user information, you can consider the following approaches:

1. Role-Based Access Control (RBAC): Implement RBAC to control access to sensitive endpoints in your API. This way, only authorized users with specific roles or permissions will be able to retrieve user data. By limiting access to certain roles, you can ensure that only authenticated users who require access to such information can retrieve it.

2. Implement Fine-Grained Permissions: Instead of providing unrestricted access to all user information, you can enforce fine-grained permissions. This means allowing users to retrieve only the specific fields they need rather than the entire user object. By implementing this approach, you reduce the risk of exposing unnecessary user data.

3. Minimize Data Exposure: Evaluate the data you expose through the API and only include the necessary information. For example, consider whether the API consumer requires access to the user's email or mobile number. If not, exclude these fields from the API response to minimize the potential impact of unauthorized access.

4. Encrypt Sensitive Information: Consider encrypting sensitive user data at rest and in transit. This adds an extra layer of protection, even if an unauthorized party gains access to the data.

5. Implement Rate Limiting and Throttling: To prevent abuse and unauthorized data harvesting, implement rate limiting and throttling mechanisms in your API. These measures can help control the number of requests made by a user within a specific timeframe, reducing the likelihood of large-scale data extraction.

You might consider using a dedicated PII data store, such as Piiano Vault, that provides specialized features and security measures for handling sensitive user data. It can help enhance the security of user information through features like data encryption, access controls, auditing capabilities, and many more...

Full disclosure: I work at Piiano.