Social Insecurity Numbers

I want to rant a bit about Social Security Numbers. This has been a storied year for data breaches, with the theft of customer and employee data being a major target for headlines. And while highlighting cybersecurity is important, the part that isn’t discussed is why we should care about the data that’s been stolen. After all, no one is particularly concerned that the cyber-thieves “stole” your name; we care about data that can be used to harm us. Either its personal, or it’s valuable, or it can somehow be used to your detriment. The two biggest concerns are probably credit card numbers and social security numbers, and while credit card numbers are problematic, social security numbers should not pose a threat to anyone. And yet they do. Why is this?

A brief history of the SSN:

The Social Security Number (SSN) was created in 1935 by the Social Security Administration as a means of cataloguing citizens who were to receive Social Security benefits. The SSN was intended to serve purely internal functions, and the old cards even said “Not for Identification.” They were originally issued when you held your first job, but in 1986 this was adjusted to avoid tax fraud, requiring children over the age of 5 to register (apparently 7 million dependent children magically vanished that year). A SSN is now required for any child claimed as a dependent, and the application is included with most birth certificates. Because of Social Security’s status as a near requirement for US citizens and permanent residents, it has evolved into a de-facto national identifier, and is often required for acquisition of bank loans, government ID, and for tax purposes. Cliff notes – the SSN wasn’t intended to be an identifier, but has evolved into one over time.

Social Security Numbers now serve as a sort of skeleton key, providing access to large amounts of information held by government agencies, financial institutions, healthcare providers, and numerous other sensitive areas. Yet this is a perversion of the SSN’s purpose and structure. As explained above, the SSN is at best an identifier: it was never intended to prove who you were. The privacy concerns over the SSN stem from a fundamental misuse of the number, and although widespread, the use of the SSN for authentication is a massive security flaw in US infrastructure that needs to be remedied. The SSN should not be private, and it should not be used to authenticate.

Who are You?

To start, let me articulate a fundamental distinction: identification vs. authentication. Identification refers to anything that tells others who you are. Authentication refers to anything that proves you are who you say you are. This distinction, although seemingly clear, tends to break down in practice, mainly because authentication is surprisingly difficult. We therefore tend to use identifiers as weak authenticators because we assume that only the real person would have an identifier saying as much. For instance, an ID card without a photo really is just a name on a card, but it often serves as a weak authenticator. Why else would they have it? And even photo ID like a driver’s license doesn’t actually prove that you are the person on the card, it just says that the person on the card has these traits. When someone compares the photo to the cardholder, they are performing a weak authentication.

The problem is that the Social Security Number is widely used as an authenticator, when it is really nothing more than an identifier. Whenever a bank or hospital asks you to confirm your SSN before proceeding, they are attempting to authenticate you based upon your knowledge of your SSN. But the SSN does not come with any biometric data for comparison, such as the height, weight, or hair color of the individual, nor does it come with their picture. It is used like a password, where mere knowledge is considered authenticating. But this is like creating a password that you are sometimes required to give to other people. And what is the first rule about passwords? Don’t give other people your passwords! (Sorry Fight Club fans.) Knowing someone’s SSN does not prove you are them, it proves that you know their SSN.

This problem is fundamental in authentication. I’ve discussed authentication broadly before, but this relates specifically to knowledge factors. Put simply, companies and government agencies want me to prove that I am me, and they do so by asking questions they think only I know the answers to. The problem is, of course, they are doing this using information that not only I have, somewhat undermining the security of the knowledge factor. Since the SSN is also an identifier, we must often provide it simply to tell others who we are. And even if we scrupulously protect our SSN, we cannot ensure that others will do the same, and once the data is compromised, it’s nearly impossible to re-secure. Often this is mitigated by requiring several knowledge factors, but these knowledge factors still tend to be information that isn’t truly private, and therefore doesn’t substantially improve the security of the system. This system of using multiple weak knowledge factors for authentication is at the root of many public security breaches. (This is also a problem with security questions, which is why you should lie in your answers.)

This breakdown between authentication and identification is all too common, and in an increasingly digital world, the things we choose to use as authenticators become increasingly important. While my dream of a state-issued authenticator is probably just that, we certainly shouldn’t encourage use of authenticators that are so clearly insecure. So how should we remedy this? Make the Social Security Number public!

Privacy through Publicity

Why is our SSN private? That is basically the question at the heart of this discussion. There is really no good reason, because our SSN should not be used as an authenticator. It’s just a number that allows the Social Security Administration to know who specifically they are referring to (there are several Scott Russell’s; there is only one person with my SSN.) I’m fine with it being our de-facto identifier, (I don’t want to memorize more numbers), but keeping the SSN private maintains the possibility that others will consider knowledge of it authenticating. Indeed I would be in favor of publicizing almost everything that might be used as an identifier, if only to dissuade others from viewing that information as authenticating.

After all, our SSN is not private in the way our medical records or religious beliefs are private; it is private purely because we are afraid of the ramifications of it being made public. We have no inherent association with the numbers that would be fundamentally impacted by publication; no one is embarrassed by their SSN (with the possible exception of Math nerds). We keep them private because we worry that others will use them as authenticators, a possibility that is only prolonged by our keeping them private. And as I’ve stated repeatedly, they aren’t even really kept private.

And think of the convenience. Remembering passwords, PINs, ID numbers, and so on is already a herculean task in modern life, and having a public repository where the data is simply posted would simplify our lives tremendously. And while I would ultimately like to extend this argument to many other forms of transactional data, the SSN is an easy place to start. It is basically mandatory and entails almost no personal details of note.

Cons?

Now of course I can hear the SSN experts crawling from the woodwork to explain how much really is told by our SSN. People registered after 2011 are randomly assigned, but prior to that the numbers actually correspond to where and when the number was issued (and indeed they could be calculated); the first three digits technically corresponded with the location where you registered (the remainder work as a form of sequential serial number). Prior to 1974, these numbers represented the physical office where you registered, and afterwards they were assigned based upon the mailing address you listed when you filed your application. This is arguably private information, but only in the most pedantic sense. So while I acknowledge this argument, I do so only to utterly disregard it. The amount of potentially private information that can be gleaned from the SSN lies somewhere between trivial and non-existent.

The slightly more persuasive argument is that SSN is not actually required, and publishing a full list would also be identifying those who, for religious or political reasons, don’t have one. While the overwhelming majority of citizens and permanent residents have a SSN, there are select minorities that do not. Its purpose is for Social Security and Medicaid, so groups that are exempt from these programs may choose to not have a SSN, e.g. the Amish. While this is an issue, it is easily remedied: make the SSN mandatory. This would not require their participation in the system; it would merely serve as a way of officially cataloging those who are not to receive benefits. (I realize that there are some groups that object to the very existence or use of such a number, but these arguments have been rejected by the Supreme Court and should not be a bar to creating a uniform, efficient system.)

I think the most prevalent criticism would be simply from a dislike of lists of information about people existing at all. I suspect many detractors simply dislike the idea of being on a publicly available list generally, without a specific reason for why it is hurting them. Since this information is already in the hands of the government, this would have to be an objection based on other citizens having access. But this is not a dossier, (Facebook is rapidly doing that for us), it is literally just a list of names and the corresponding numbers. Our society has mythologized data to some degree, but when looked at in purely objective terms, I don’t see how this is harmful. Once the SSN is no longer used to authenticate, there will be nothing anyone can do with it except refer to an individual by their number rather than by their name.

The only truly substantive argument against publishing SSNs is that SSNs are used so widely as a form of authentication, which is of course the very thing I am railing against. This is the activity that needs to stop, so while we might need to impose a time delay to allow companies to change, the ultimate goal should be to put an end to the use of identifiers as authenticators, starting with the SSN. An entrenched bad system is still a bad system.

Then what should we use?

Authentication is in many ways built upon a house of cards. Authenticating a new user often relies upon them already being authenticated by a prior, trusted system, creating a loop of logic that makes it difficult for entirely new people to be authenticated. The use of the SSN is really just a bad way of dealing with this problem. But better options aren’t always forthcoming. Our relationships with individual institutions are easy to authenticate because we can generate institution-specific usernames and passwords. These don’t prove that you are you in the existential sense, but rather prove that you are the same person who created the account, which is usually good enough. And creating links between institutions can piggyback on this system of username-authenticity, which helps explain why Facebook pages are so widely used by other websites: the website doesn’t need me to prove I am Scott Russell, it is enough for me to prove that I am the person who has the Facebook page with the name Scott Russell.

But when dealing with more substantive institutions, like banks or credit card companies, we really need a more robust system of authentication, which must inevitably stem from the government. This is the role the SSN currently plays: it is a pseudo-authenticator with the government’s stamp of approval. But what we really need is a government-issued authentication system, wherein each citizen and permanent resident has a means of proving that they are a specific citizen, which other companies and institutions can verify. This would not be a static number, but would be more like a token generator, or ideally multi-factor authentication. Although more complex, such a system would actually allow for robust authentication, and would enable security and authenticity for the entire country.

Wrapping Up

I apologize if some of this discussion is hard to follow. Authentication isn’t something we think about very often, because the ways we typically authenticate are subconscious. We authenticate based on each other’s faces, voices, clothes, and habits. If you call a friend’s phone number, you authenticate based on the number you dialed, the voice you hear, and the way they talk. When any of these details is amiss, we become skeptical. But in an online environment, anonymity is the default, and obfuscation and mimicry are extremely easy, rendering our innate mechanisms for authenticating obsolete. And while systems like public key encryption provide a partial solution, we must ultimately create an infrastructure that allows us to reliably determine who we are dealing with in an online environment.

In my mind, making the SSN public is up there with removing the penny. It just makes sense. Happy New Year!

-Scott

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s