In the wake of the massive Equifax data breach, once again a spotlight has been shone on the overuse of the not-so-secret number that passes for a national ID in the United States–the Social Security Number (SSN). Perhaps we have become numb to these hacks and data breaches. What, my credit card number was compromised? The credit card company will cancel it and issue another one. My address information? My cell number? Well that’s already out there in many places. My bank account number? Whatever, I’ll change it.
Hold it–someone got my SSN? That’s not an easy one to change. And unfortunately, that one is overused for identity not just by government agencies, but also by utilities, telecoms, and financial services companies to identify you and give you credit and access to their services.
Origins of the SSN
The SSN was never designed to be a universal ID. It was designed to uniquely identify an individual, track their lifetime earnings, and enable them to collect their benefits upon retirement. The IRS and a host of other government agencies at all levels adopted it as an identifier. Private companies, given the lack of any other form of universal identification, adopted it as a form of establishing accounts unambiguously. And it has become a requirement for having a bank account and most any other financial service.
The SSN is the key to all the information major credit bureau companies like Equifaxhold about us–yet given how often you use it for identification, it can’t be considered a secret like a password. In 2009, researchers at Carnegie Mellon University found that they could develop an algorithm to guess SSNs from publicly available information. Part of the reason for that is the original structure of the SSN itself, which is based on the state of issue and also are clustered around birthdates. Since the late 1980s they have been automatically issued at birth. Knowing where and when someone was born–something freely divulged by many on Facebook–can help a hacker derive a SSN with a guessing algorithm and a reasonably powerful laptop.
So the SSN is not a secure form of ID in today’s internet-connected world. What’s the alternative? After 9/11, the issue of secure national IDs came up as a way to ensure against forgeries of ID documents for travel and other purposes. In 2001, Larry Ellison of Oracle called for a cryptographically secure national ID, and offered to provide the needed technology free of charge. The reaction was predictable, as conservatives, libertarians, and civil liberties groups concerned about privacy were adamantly against the concept.
While there continues to be fierce resistance to the above idea, other efforts for more secure IDs have moved forward. Based on the 9/11 Commission’s recommendation, in 2005 Congress passed the REAL ID Act, which sets minimum security standards for state issued IDs like driver licenses. This is far from a universal ID, and was really designed for making it harder to forge this type of identification, to enable better security for airline travel and access to Federal buildings. Better security standards for driver licenses will help, as they are still used for physical identification for major transactions such as buying a car or house, but more often than not just the number is needed for a remote transaction of some other kind. If a hacker scores a full Equifax profile (inclusing a SSN and driver license number) on someone, they are in business.
Modern Universal ID Design
Outside of the US, perhaps the most ambitious national I.D. effort is Aadhaar in India, which now encompasses 1.2 billion people. Originally begun in 2009 as a way to uniquely identify people for government social welfare services, it has become all-but-mandatory identification for travel, financial services, and internet services. If that sounds eerily similar to the use of the SSN in the US, well, it is–except Aadhaar is a system based on modern technology, employing fingerprints, iris scans, and photos as unique identifiers.
Some critics in India are concerned about the implications of allowing private companies tapping into the system. Earlier this year, Microsoft showed a demo in Mumbai of its new Skype Lite service using AAdhaar to uniquely identify a user. While the authorization process is similar to using a Facebook or Google login authorization to identify someone on the web (which in those cases do not truly serve as an identification of a real person) in that the data about the identity is not passed on, the security and privacy concerns are valid.