Aftermath of the Equifax hack

Social Security Numbers and personal data of 143 million people have recently been breached in a hack of Equifax. That’s almost half of the US population. The consumer outrage and media stories after the hack are not fully grasping the root problem.

Equifax, TransUnion, and Experian maintain centralized databases of sensitive consumer data. We’ve not opted-in to using their services, but they maintain information on us regardless. These are not tech companies, and online security is not their core competence. Their security practices are mediocre at best, but that’s not the root problem.

Centralized databases will always get hacked:

On the internet, any company that stores your data will (eventually) get hacked. There are no exceptions to this rule. It’s just a matter of time.

Demanding “better security” of these centralized databases will not make the problem go away. The response to the Equifax hack is not to demand “better security” but to demand the removal of these data banks all together.

The model of centralized data is fundamentally broken. The real lesson of the Equifax hack is that there is no way to secure centralized databases.

What can we do?

Given the wide-spread use of legacy social security systems, this is a messy problem to solve. Following are some suggestions that can help:

Near-term:

In the near-term, we should simply assume that our data was hacked and

  1. Setup credit/security freeze on all agencies; a fraud-alert is not enough.
  2. Enroll in the complimentary identity theft protection from Equifax.
  3. Most importantly, let’s not let this crisis slip away without getting major reform mandated by law.

Medium-term:

In the medium-term, we should stop using Social Security Numbers as private/sensitive information. They can be used as public identifiers instead. The Social Security Administration (SSA) can start giving people private keys that own social security numbers. These keys can be re-issued if lost or compromised and should require a visit to a local SSA office.

Long-term:

In the long-term, we should remove our dependence on the Social Security Administration and centralized databases like Equifax. Decentralized identity systems like Blockstack ID, uPort, and Civic have made significant progress in recent years. Blockstack recently released a new system that scales registrations to millions of users. It’s inevitable that hacks of centralized identity systems will force everyone to switch over eventually.

The hacks will not stop. Decentralization is the only way forward.


Comments? Tweet them @muneeb