Building Trust Privacy

Post Equifax, We Need to Reconsider How to Identify People 

Victims of identity theft will tell you the experience is like having your personal life broken into, tossed around, and thrown out onto the street. It is a violation that is indescribable. Then, you could discover that strangers are impersonating you, carrying out crimes under your name, and destroying your reputation. Unraveling the mess that follows is a long, painful and never-ending process – all this because someone else was careless or willfully negligent with your data.

Even if your data was not exposed in the Equifax breach, you should be both concerned and angry. This is a potentially catastrophic breach: roughly 143 million individuals (approximately 45% of the US population) now face the prospect of identity theft.

As a society, we need to seriously rethink why and how we identify people. How did the social security number become the default identifier, especially for non-governmental functions such as credit reporting? When the Social Security Administration first issued SSNs in 1936, their “sole purpose” was to track the earning history of workers for benefits. In fact, Kaya Yurieff points out that until 1972, the bottom of the card read: “FOR SOCIAL SECURITY PURPOSES — NOT FOR IDENTIFICATION.”

Social security numbers (SSNs) were not designed to be used for general identification, and they pre-date the digital era. They were not built to address the threat model that they face today. Part of the problem is that SSNs are now collected by businesses for unforeseen purposes and sprinkled around like confetti in servers connected to the Internet. In addition, the number is typically self-asserted; even if an individual is required to present their social security card, forgery is possible.

Koreans have first-hand experience of the pitfalls of persistent national identifiers. From 2004 to 2014, about 80% of Koreans had their national identification numbers and personal data stolen from a variety of businesses. The scandal led to calls for an overhaul of the national identity system. The system was not redesigned, but individuals over 17 were issued new numbers at an estimated cost of billions of dollars. Since 2014, the Personal Data Protection Act (PIPA) has prohibited the processing of RRNs (Resident Registration Numbers) regardless of the data subject’s consent and required data processors to delete all RRNs collected prior to August 2014 within two years.

American businesses should take a page out of South Korea’s book; they do not need to wait for legislation to embrace data minimization – limiting the amount of data they collect and retain. If a customer’s SSN is not 100% necessary to provide a service, why request their SSN in the first place? As more users are impacted by data breaches, the more users will hesitate to engage with a company that requests their SSN online. Businesses that embrace data minimization at the outset avoid this pitfall.

If a business does require a SSN from a customer, it must ask itself whether that data needs to be retained (Once identity has been established, could another identifier be used or created?) and what security measures should be put in place to protect that data (If the SSN must be used as the identifier, can it be partitioned from other personal information?).

At a macro level, it may be time to consider better ways to manage SSNs in the U.S. While this undertaking and its cost is daunting, the potential cost of all the fallout from instances of identity theft of millions of U.S. citizens outweigh these considerations. In 2016 alone, identity theft cost Americans over 16 billion USD. [5]

Ideally, we would have a system with sufficient abstraction built into it to allow an identifier to be replaced while maintaining continuity of the individual’s records. This already exists, but only on a limited scale and only after an individual has been a serial victim of identity theft. (See “A victim of identity theft continues to be disadvantaged by using the original number.”) We do not have to do away with social security numbers, but it should not be the “go-to” method to validate someone’s identity online or offline. In any case, SSNs need better security at the point they are provided (e.g. two-factor authentication) and when they are collected (e.g. encryption, access control, etc.). We also need easy means to revoke and replace compromised numbers.

As a citizen, for yourself and as a champion for others, – assert your privacy. If you are asked to provide your social security number, ask why the business needs it, how it will be used, and how they will protect that data. Offer to provide alternate means of identification. If you are no longer using a service, ask them to delete your account and all your associated personal data. Remember not to reuse passwords, not to answer security questions with guessable information, to choose different questions for each service, and to use encryption where you can. For more online privacy tips, please go to Sword and Shield and Your Digital Footprint Matters.

Users can take steps to protect themselves, but ultimately, the responsibility rests on the shoulders of those who handle our personal data. Data stewards must stop being cavalier with other people’s data. It’s not good enough to say “oops, we have had a data breach, sorry about that”. If companies will not take data stewardship seriously, they should not be allowed to collect and handle personal data. Furthermore, data handlers should have robust contingency plans to reduce the impact of a breach on users’ daily lives as much as possible. At the end of the day, the burden of a breach should be felt by the data handler, not the end user.