This site may earn affiliate commissions from the links on this page. Terms of utilize.

encryption

In the wake of the massive Equifax data breach, in one case again a spotlight has been shone on the overuse of the not-so-hugger-mugger number that passes for a national ID in the United States–the Social Security Number (SSN). Mayhap we have become numb to these hacks and information breaches. What, my credit card number was compromised? The credit carte du jour company will abolish it and result another ane. My address information? My cell number? Well that's already out there in many places. My bank account number? Any, I'll change information technology.

Hold it–someone got my SSN? That's not an piece of cake ane to change. And unfortunately, that one is overused for identity non just by government agencies, but too by utilities, telecoms, and fiscal services companies to place yous and give you lot credit and access to their services.

Origins of the SSN

The SSN was never designed to be a universal ID. It was designed to uniquely identify an individual, rail their lifetime earnings, and enable them to collect their benefits upon retirement. The IRS and a host of other government agencies at all levels adopted it as an identifier. Individual companies, given the lack of any other form of universal identification, adopted it equally a grade of establishing accounts unambiguously. And it has get a requirement for having a banking concern account and most any other financial service.

Security surveillance unlock privacy

The SSN is the key to all the information major credit bureau companies like Equifax hold about us–still given how often you lot use it for identification, it tin't exist considered a surreptitious like a password. In 2009, researchers at Carnegie Mellon University found that they could develop an algorithm to estimate SSNs from publicly bachelor data. Part of the reason for that is the original structure of the SSN itself, which is based on the state of issue and likewise are clustered around nativity dates. Since the late 1980s they have been automatically issued at nativity. Knowing where and when someone was born–something freely divulged by many on Facebook–tin help a hacker derive a SSN with a guessing algorithm and a reasonably powerful laptop.

So the SSN is not a secure form of ID in today's internet-connected world. What'southward the alternative? Later 9/11, the issue of secure national IDs came upward as a way to ensure against forgeries of ID documents for travel and other purposes. In 2001, Larry Ellison of Oracle called for a cryptographically secure national ID, and offered to provide the needed technology free of accuse. The reaction was predictable, as conservatives, libertarians, and civil liberties groups concerned about privacy were doggedly against the concept.

While there continues to exist fierce resistance to the above idea, other efforts for more secure IDs have moved forward. Based on the 9/eleven Committee's recommendation, in 2005 Congress passed the REAL ID Act, which sets minimum security standards for land issued IDs like commuter licenses. This is far from a universal ID, and was really designed for making information technology harder to forge this type of identification, to enable better security for airline travel and admission to Federal buildings. Improve security standards for driver licenses will help, every bit they are still used for physical identification for major transactions such every bit ownership a car or firm, but more often than not simply the number is needed for a remote transaction of another kind. If a hacker scores a full Equifax profile (including a SSN and commuter license number) on someone, they are in business.

Modernistic Universal ID Design

Outside of the The states, possibly the most aggressive national I.D. endeavor is Aadhaar in India, which at present encompasses 1.two billion people. Originally begun in 2009 every bit a manner to uniquely identify people for regime social welfare services, it has become all-merely-mandatory identification for travel, financial services, and internet services. If that sounds eerily similar to the apply of the SSN in the US, well, it is–except Aadhaar is a system based on modernistic applied science, employing fingerprints, iris scans, and photos as unique identifiers.

Some critics in India are concerned well-nigh the implications of allowing individual companies tapping into the system. Before this year, Microsoft showed a demo in Mumbai of its new Skype Lite service using Aadhaar to uniquely identify a user. While the authority procedure is similar to using a Facebook or Google login potency to place someone on the spider web (which in those cases do not truly serve equally an identification of a existent person) in that the data near the identity is not passed on, the security and privacy concerns are valid.

449809-generic-security-hacking-encryption

Given that the Aadhaar organisation stores physical identification data, equally well as a host of demographic information, a major concern is that if it's compromised, it'south really a single point of failure with disastrous consequences for the myriad services that depend on it. While Aadhaar employs state-of-the-fine art encryption, normally the compromise to such a system comes from a weaker link–an improperly designed or unaudited mobile or web app, or a phishing scam that steals a credential from someone with wide admission to the system.

We're Already Compromised

The privacy and security concerns for any type of universal identification database are of course completely valid. If a mandatory national/universal ID were established, how would we keep the government from capturing information on our every transaction? How practise we keep individual companies and organizations from only using it for identification without tracking? While these questions are valid, I would submit that our privacy is almost nonexistent already. A few examples:

  • We willingly trade privacy for gratuitous net services from Facebook, Google, Amazon, and many other companies. Our cloud stored emails, messages, pictures, purchases, and files all contain a trove of data about our lives. While ostensibly that data is mined for commercial purposes, privacy laws have not kept upwards to keep it from being potentially used for more nefarious reasons.
  • The Equifax alienation, potentially exposing identifying information of most 150 million Americans, near qualifies as a single point of failure. A meaning data alienation of a Facebook, Google, or Apple could also be characterized the same way, peculiarly as these companies are all likewise moving into financial payment services as well.
  • Databases that serve the health insurance manufacture have collected a mountain of information about our health history, including hospitalizations, diagnoses, treatments, and drugs prescribed. A universal ID might help to add more to existing profiles–remember about health tracking from wearables. But that might really be benign in the long run, as applying large data analysis to information technology may enable better health outcomes.
  • Our travel is already existence tracked. Our smartphone is smart plenty to know when we're moving. All those helpful Google cards on how long it takes to get to our next destination? It either already knows from your calendar, or simply has been tracking your movements and analyzing the patterns.
  • The NSA has the computing power to track every unencrypted voice, data, and email message in the country, in the name of national security. And it is used for that purpose. Nosotros think. Big Blood brother is already hither.

The point? Privacy is virtually nonexistent in today'south world with rapidly advancing technology. But that doesn't necessarily imply either private companies or the government are using this data in nefarious ways, although we know that has happened and volition continue to happen in the futurity. Fear of giving up further privacy should not limit us from using modern technology to solve a real identification problem and deterring fraud. What does needs to happen to protect our privacy is the enactment of laws that recognize the collection of this information in the public and private sectors, and put protections and penalties in place to guard against misuse.

Now read: 20 All-time Privacy Tips