They’re supposed to be the nine most closely guarded numbers in your life. But with an ever-growing number of companies asking for Social Security numbers — and then hit by cyber breaches exposing them — experts say the Social Security number is clearly a flawed way to accurately identify someone.
In fact, some argue that the IDs should be all but retired. “Congress should prohibit the use of Social Security numbers as a personal identifier outside of the Social Security system itself,” Daniel Castro, vice president of the Information Technology and Innovation Foundation, wrote recently at Real Clear Policy.
Yet coming up with a good alternative is not an easy task. People have been thinking about it for years. In 2011, the Obama administration set up a center to look into the concept of a digital identity. After the Equifax breach, privacy and security experts have called for more funding for that program, the National Strategy for Trusted Identities in Cyberspace, to replace the Social Security number as an identification number in the public and private sector. Part of that group has come up with a set of best practices for security, but even with improving identification and security technologies, no silver bullet has emerged for replacing this broken system.
One issue with Social Security numbers is that they’re widely distributed and, therefore, not at all private. You can hardly rent an apartment or apply for a job today without coughing up your SSN. Thanks to breaches, your number could be found nearly anywhere.
Second, they aren’t particularly secret. The first three digits are known to be a geographical code based on where you lived when you first registered for your number. (You can find those codes on Wikipedia, for crying out loud.) Another component for making a number? Your birth date, which is basically public information in an age of the internet.
So even if someone gets just part of your number, it can be easy to figure out the rest. Researchers in 2009 wrote an algorithm that could predict a Social Security number correctly 44 percent of the time in the United States overall and as much as 90 percent of the time in smaller, individual states. And that was without having the last four digits — the numbers we most commonly give to companies and therefore at highest risk in a breach.
Which brings us to another big issue with the SSN: It’s not easy to get a new one. The Social Security Administration lists fraud among the allowed reasons for obtaining a new number, but you have to submit proof of continuing harassment and other documents that prove who you are. When companies such as Equifax aren’t proactive or clear about telling users whether their information has been exposed, that leaves the average person in a lurch.
One possible alternative is biometrics. The strength of biometrics is that your face and fingerprints are uniquely yours on a detailed level. (Even identical siblings have different freckles, scars, etc.)
But that’s also a weakness. Fingerprints are public, as Sen. Al Franken, D-Minnesota, noted in a 2013 letter to Apple detailing concerns about its Touch ID scanners. We leave traces of our prints on everything we touch. Our faces are also quite public, especially in the age of social media — a point Franken brought up again last week after Apple introduced Face ID.
Another alternative is a technology known as blockchain, which creates a public ledger of transactions. Estonia uses a form of blockchain technology — which powers cryptocurrencies such as bitcoin — as the backbone for a digital ID system its citizens use for medical services, travel checkpoints and even for voting.
The appeal of blockchain is that individuals would know when their number was being used because the technology allows for transactions to be logged publicly, said Daniel Riedel of the security and automation data firm New Context. Blockchain would notify you when requests for your number come up and could let you block transactions. But, Riedel said, the United States would need to develop its own system, requiring significant research and investment.
Others, particularly in the health sector, have suggested a unique national ID number, similar to what other countries, such as the United Kingdom and Japan, use for their national health services or central identification. But simply proposing a new ID number could lead to the same issues we have with Social Security numbers. That idea also worries those who fear that we’d be giving the federal government too much power. And it doesn’t sit easily with some privacy experts.
“We should avoid the creation of a general purpose ID in the private sector. Such a number enables secret profiling and tracking of consumers,” Marc Rotenberg, executive director at the Electronic Privacy Information Center, said. EPIC was among those who successfully lobbied for SSNs to be removed from Medicare cards.
In the end, we may need to trade away the simplicity of a single number.
“The better approach is to have customer IDs for specific purposes. That would give consumers greater control over their personal data,” he said.