Analysis / Culture / Top Stories /

Is It Time to Replace Social Security Numbers?

15 Oct 2017 6:00am, by

It may be the ultimate data problem. How do we allow people to identify themselves digitally in a way that’s secure yet simple? After a massive data breach at Equifax in which 143 million social security numbers were accessed, America has begun searching for a better solution.

In fact, security technologist Bruce Schneier thinks social security numbers were just filling a void as the country transitioned to a digital society. “They appeared at an age when we didn’t have other numbers,” Schneier said in an interview with Insurance Journal. “Think of this as part of our aging infrastructure… Sooner or later we as a society need to fix our aging infrastructure.”

How We Got Here

Originally the sole purpose of the nine-digit number set was to identify Americans for their retirement payments from the social security system — as well as their pre-retirement contributions. Since nearly every working American has a social security number, it’s since morphed into a catch-all identification number. A tax reform law in 1990 even required parents to list social security numbers for any child over the age of one (if they wanted a tax deduction for them), and the Social Security Administration now advises parents to apply for the number when their children are born.

Other countries have entirely different systems — and in some cases, they’re more sophisticated. India uses a unique number issued only after the intended recipient has been fingerprinted and had their iris scanned — and it’s used by almost 1.2 billion people. China uses a similar system, named Hukou, based on residence permits. Estonia implemented a system of national ID cards that are cryptographically-secure using a distributed blockchain ledger that enables additional applications in healthcare, travel papers, and even for identifying voters. “It’s safe to say that well over a third of the world uses government-issued identifiers,” noted a recent essay in the Harvard Business Review — and most of them go beyond a simple nine-digit number.

So Thursday a U.S. Congressman introduced new legislation that would require credit bureaus to phase out the use of Social Security numbers by 2020.

And Rob Joyce, the White House’s cybersecurity coordinator, says the White House already asked federal departments and agencies to research ways to replace social security numbers with “modern cryptographic identifiers” like public and private keys. Joyce is also expressing his strong opinion that the familiar nine-digit number “has outlived its usefulness.”

Looking for a Change

Phasing out social security numbers is not a new idea, notes Wired. The Obama administration also investigated security digital identity options through a program called the National Strategies for Trusted Identities in Cyberspace. “It’s going to be a while until this problem is solved,” says Paul Grassi, a senior standards and technology advisor at the National Institute of Standards and Technology, “but we built our latest guidelines under the assumption that your data is out there whether you like it or not.”

Richard Smith — the recently-retired CEO of Equifax — agrees. Earlier this month he told a Congressional committee it’s time for America to “think beyond” the idea of social security numbers being private and secure.

There’s a lot of interest in the idea from the financial community. Analysts at Cowen Inc. believe this approach could save the credit bureau industry since “this reduces the risk of business-model-busting legislation such as a requirement that consumers opt-in to a credit bureau collecting their data.” When Equifax’s former CEO appeared before Congress, Illinois Representative Jan Schakowsky pointed out that “I never opted in. I never said it was okay to have all my information, and now I want out… Can I do that?”

“That requires a much broader discussion,” Smith replied, “around the role of the credit reporting agencies.”

Steven M. Bellovin, a professor of computer science at Columbia University, says he’s also heard arguments for the elimination of credit bureaus, but “the correct answer is stricter controls on what information can be kept and on how it can be used,” he told Motherboard.

But everyone agrees there’s a lot of money at stake. In August Equifax’s then CEO Richard Smith told students at the University of Georgia that credit bureaus get their data for free from banks — then sells it back to the banks after performing a computerized analysis, giving the company a gross margin of about 90 percent.

What Next?

There’s just one problem. “It’s really hard to do better,” argues professor Bellovin. “Basically, running any sort of national identity scheme is hard, and it’s not clear that the replacement would have fewer problems than what we have now.” Calling the nine-digit numbers “a low-grade secret,” he argues that they’re used as a database key to uniquely identify records and link them properly to the same individual’s data in other databases. The depressing truth: “if you need linkage and you need memorability to recover from lost credentials, any replacement for the social security number is going to have most or all of the same problems.”

Schneier sees another issue. While more secure systems are possible, “magic math costs money.”

Maybe one solution involves making it even more expensive to have an insecure system. Bellovin notes that some financial firms send a paper mail to a physical address to confirm changes — but that this isn’t implemented consistently, which “suggests that the real solution is regulatory: make credit providers liable for the full damages, including ongoing inconvenience, suffered by victims of identity theft.”

One Republican congressman from Texas has even suggested “some kind of fine-per-account-hacked that’s large enough that even a company that’s worth $13 billion would rather protect their data and probably not collect as much data,” Bloomberg reported.

Another suggested fix: having a mix of identifiers — possibly interoperable, but definitely more decentralized, reducing the impact of any single breach. This has the added benefit of reducing what the American Civil Liberties Union senior policy analyst Jay Stanley calls the “eagle’s eye view of every activity.”

“There is a clear need for individuals to be identified and authenticated and there are ways to do it that still preserve privacy,” he told Wired Friday. “People use the Social Security number because they don’t have anything else. It’s ridiculous.”

Insurance Journal also spoke to Bob Stasio, a fellow at the Truman National Security Project who discussed the possibility of using a public key, which would then authorize the sending of messages to be decrypted by the corresponding private key. One big advantage? It’s easier to replace the private keys in the event of a data breach than it is to replace a social security number.

Another possibility is biology-based “biometric” identification systems. For example, Apple’s newest iPhone X uses 3D sensing cameras to recognize the face of its owner, replacing the Touch ID system on older iPhones which used fingerprints. They’re not foolproof. Researchers were able to the new iPhone by creating a 3D rendering of a face using photos from Facebook, and another team successfully created a set of fake “MasterPrints” combining common features from many fingerprints which fooled fingerprint identification systems up to 65 percent of the time.

But security lawyer Jerri-Lynn Scofield isn’t a fan of biometric solutions for another reason. “What we’re being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data,” she wrote recently on an economics blog. Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out?”

Beyond security issues, there’s an issue with the data collection itself. “It should be apparent that part of the problem is that the centralization of so much valuable information is what draws hackers. And the more we centralize, the more precious the prize will be… Inviting the biometric ID fairy drop by and replace the existing Social Security number is not the solution.”

And ultimately the Equifax breach happened in part because the company failed to patch a known security issue, suggesting some of our problems aren’t technical so much as they are procedural. During a hearing with Equifax’s retired CEO, Oregon Congressman Greg Walden was even more skeptical that any legislative fix could compensate for egregious human errors.

As he told a local television station, “I don’t think we can pass a law that can fix stupid.”


WebReduce

Feature image: Pre-computer cardpunch operators at America’s Social Security Administration, from Wikipedia, public domain.


A digest of the week’s most important stories & analyses.

View / Add Comments