Post-Equifax Breach, It’s Time for a Digital Universal ID
by Ben Algaze
In the wake of the massive Equifax data breach, once again a spotlight has been shone on the overuse of the not-so-secret number that passes for a national ID in the United States–the Social Security Number (SSN). Perhaps we have become numb to these hacks and data breaches. What, my credit card number was compromised? The credit card company will cancel it and issue another one. My address information? My cell number? Well that’s already out there in many places. My bank account number? Whatever, I’ll change it.
Hold it–someone got my SSN? That’s not an easy one to change. And unfortunately, that one is overused for identity not just by government agencies, but also by utilities, telecoms, and financial services companies to identify you and give you credit and access to their services.
Origins of the SSN
The SSN was never designed to be a universal ID. It was designed to uniquely identify an individual, track their lifetime earnings, and enable them to collect their benefits upon retirement. The IRS and a host of other government agencies at all levels adopted it as an identifier. Private companies, given the lack of any other form of universal identification, adopted it as a form of establishing accounts unambiguously. And it has become a requirement for having a bank account and most any other financial service.
The SSN is the key to all the information major credit bureau companies like Equifax hold about us–yet given how often you use it for identification, it can’t be considered a secret like a password. In 2009, researchers at Carnegie Mellon University found that they could develop an algorithm to guess SSNs from publicly available information. Part of the reason for that is the original structure of the SSN itself, which is based on the state of issue and also are clustered around birth dates. Since the late 1980s they have been automatically issued at birth. Knowing where and when someone was born–something freely divulged by many on Facebook–can help a hacker derive a SSN with a guessing algorithm and a reasonably powerful laptop.
So the SSN is not a secure form of ID in today’s internet-connected world. What’s the alternative? After 9/11, the issue of secure national IDs came up as a way to ensure against forgeries of ID documents for travel and other purposes. In 2001, Larry Ellison of Oracle called for a cryptographically secure national ID, and offered to provide the needed technology free of charge. The reaction was predictable, as conservatives, libertarians, and civil liberties groups concerned about privacy were adamantly against the concept.
While there continues to be fierce resistance to the above idea, other efforts for more secure IDs have moved forward. Based on the 9/11 Commission’s recommendation, in 2005 Congress passed the REAL ID Act, which sets minimum security standards for state issued IDs like driver licenses. This is far from a universal ID, and was really designed for making it harder to forge this type of identification, to enable better security for airline travel and access to Federal buildings. Better security standards for driver licenses will help, as they are still used for physical identification for major transactions such as buying a car or house, but more often than not just the number is needed for a remote transaction of some other kind. If a hacker scores a full Equifax profile (including a SSN and driver license number) on someone, they are in business.
Modern Universal ID Design
Outside of the US, perhaps the most ambitious national I.D. effort is Aadhaar in India, which now encompasses 1.2 billion people. Originally begun in 2009 as a way to uniquely identify people for government social welfare services, it has become all-but-mandatory identification for travel, financial services, and internet services. If that sounds eerily similar to the use of the SSN in the US, well, it is–except Aadhaar is a system based on modern technology, employing fingerprints, iris scans, and photos as unique identifiers.
Some critics in India are concerned about the implications of allowing private companies tapping into the system. Earlier this year, Microsoft showed a demo in Mumbai of its new Skype Lite service using Aadhaar to uniquely identify a user. While the authorization process is similar to using a Facebook or Google login authorization to identify someone on the web (which in those cases do not truly serve as an identification of a real person) in that the data about the identity is not passed on, the security and privacy concerns are valid.
Given that the Aadhaar system stores physical identification data, as well as a host of demographic information, a major concern is that if it’s compromised, it’s really a single point of failure with disastrous consequences for the myriad services that depend on it. While Aadhaar employs state-of-the-art encryption, usually the compromise to such a system comes from a weaker link–an improperly designed or unaudited mobile or web app, or a phishing scam that steals a credential from someone with wide access to the system.
We’re Already Compromised
The privacy and security concerns for any type of universal identification database are of course completely valid. If a mandatory national/universal ID were established, how would we keep the government from capturing information on our every transaction? How do we keep private companies and organizations from only using it for identification without tracking? While these questions are valid, I would submit that our privacy is almost nonexistent already. A few examples:
- We willingly trade privacy for free internet services from Facebook, Google, Amazon, and many other companies. Our cloud stored emails, messages, pictures, purchases, and files all contain a trove of data about our lives. While ostensibly that data is mined for commercial purposes, privacy laws have not kept up to keep it from being potentially used for more nefarious reasons.
- The Equifax breach, potentially exposing identifying data of almost 150 million Americans, almost qualifies as a single point of failure. A significant data breach of a Facebook, Google, or Apple could also be characterized the same way, especially as these companies are all also moving into financial payment services as well.
- Databases that serve the health insurance industry have collected a mountain of information about our health history, including hospitalizations, diagnoses, treatments, and drugs prescribed. A universal ID might help to add more to existing profiles–think about health tracking from wearables. But that might actually be beneficial in the long run, as applying big data analysis to it may enable better health outcomes.
- Our travel is already being tracked. Our smartphone is smart enough to know when we’re moving. All those helpful Google cards on how long it takes to get to our next destination? It either already knows from your calendar, or simply has been tracking your movements and analyzing the patterns.
- The NSA has the computing power to track every unencrypted voice, data, and email message in the country, in the name of national security. And it is used for that purpose. We think. Big Brother is already here.
The point? Privacy is almost nonexistent in today’s world with rapidly advancing technology. But that doesn’t necessarily imply either private companies or the government are using this information in nefarious ways, although we know that has happened and will continue to happen in the future. Fear of giving up further privacy should not limit us from using modern technology to solve a real identification problem and deterring fraud. What does needs to happen to protect our privacy is the enactment of laws that recognize the collection of this information in the public and private sectors, and put protections and penalties in place to guard against misuse.
Now read: 20 Best Privacy Tips
Originally published at www.extremetech.com on October 5, 2017.