Is there a better idea for ID?
They’re supposed to be the nine most closely guarded numbers in your life. But with an ever-growing number of companies asking for Social Security numbers – and then hit by cyber breaches exposing them – experts say the Social Security number is clearly a flawed way to accurately identify someone.
“Congress should prohibit the use of Social Security numbers as a personal identifier outside of the Social Security system itself,” Daniel Castro, vice president of the Information Technology and Innovation Foundation, wrote recently at Real Clear Policy.
Yet coming up with a good alternative is not an easy task. People have been thinking about it for years. In 2011, the Obama administration set up a center to look into the concept of a digital iden-
tity. After the Equifax breach, privacy and security experts have called for more funding for that program, the National Strategy for Trusted Identities in Cyberspace, to replace the Social Security number as an identification number in the pubic and private sector. Part of that group has come up with a set of best practices for security, but even with improving identification and security technologies, no silver bullet has emerged for replacing this broken system.
One issue with Social Security numbers is that they’re widely distributed and, therefore, not at all private. You can hardly rent an apartment or apply for a job today without coughing up your SSN. Thanks to breaches, your number could be found nearly anywhere.
Second, they aren’t particularly secret. The first three digits are known to be a geographical code based on where you lived when you first registered for your number. (You can find those codes on Wikipedia, for crying out loud.) Another component for making a number? Your birth date, which is basically public information in an age of the Internet.
So even if someone gets just part of your number, it can be easy to figure out the rest.
Which brings us to another big issue with the SSN: It’s not easy to get a new one. The Social Security Administration lists fraud among the allowed reasons for obtaining a new number, but you have to submit proof of continuing harassment and other documents that prove who you are. When companies such as Equifax aren’t proactive or clear about telling users whether their information has been exposed, that leaves the average person in a lurch.
One possible alternative is biometrics. The strength of biometrics is that your face and fingerprints are uniquely yours on a detailed level.
But that’s also a weakness. Fingerprints are public, as Sen. Al Franken, D-minn., noted in a 2013 letter to Apple detailing concerns about its Touch ID scanners. We leave traces of our prints on everything we touch. Our faces are also quite public, especially in the age of social media.
Another alternative is a technology known as blockchain, which creates a public ledger of transactions.
The appeal of blockchain is that individuals would know when their number was being used because the technology allows for transactions to be logged publicly, said Daniel Riedel of the security and automation data firm New Context. Blockchain would notify you when requests for your number come up and could let you block transactions.
Others – particularly in the health sector – have suggested a unique national ID number, similar to what other countries, such as the United Kingdom and Japan, use for their national health services or central identification. But simply proposing a new ID number could lead to the same issues we have with Social Security numbers. That idea also worries those who fear that we’d be giving the federal government too much power. And it doesn’t sit easily with some privacy experts.