As the raging dumpster fire that is the Equifax breach continues to unfold, I find that I am thinking about identity and the way we use it in our modern life. Equifax was criminally negligent with information that was incredibly valuable to individuals. They should be penalized as an organization with fines and levies, and some of the individuals within the company who were responsible for the security of our data should face possible jail time. But when you step back for a moment, it becomes readily apparent that this is just the latest in a series of data breaches over the past decade, and despite fines, levies, and jail time; this is the sort of thing that is likely to happen again. Why? First, the monetary value of the information is high, meaning that criminal elements are willing to spend the resources to steal the information. Second, organizations are rarely incentivized to take the necessary precautions to secure data. As Greg Ferro likes to point out, as long as the cost of true security is higher than the cost of a breach, organizations are unlikely to adopt true security practices. Third, even if an organization tries to embrace true security, human beings are fallible. Applications have undiscovered exploits, misconfigurations happen, and hackers are always stepping up their game.
Simply saying that an organization needs to be more secure is not addressing the root of the problem, but rather a symptom of that problem. In my mind the primary issue is the intrinsic value of the social security number, date of birth, and other personally identifying information. How do we address this issue? The first thing I would say is to reduce the value of some of these numbers. The SSN is not valuable because of its original intended purpose. Originally instituted in 1936, it was used to keep track of US workers’ earnings histories in order to determine their social security eligibility and benefits. It was never intended to be used as a universal identifier for everyone in the country, and the just because it has become a de facto standard doesn’t mean that it should be. It is patently ridiculous that we expect a single number to uniquely identify everyone, and have everyone keep their number secret. Benjamin Franklin famously said, “Three can keep a secret, if two of them are dead.” There’s no way that your SSN can stay secret if you’re expected to give it during a credit application, your college application, to your doctor’s office, etc. If just one of them spills the beans, then the jig is up! And that’s exactly what happened with Equifax. Unique identifiers cannot also be secrets by their very nature. The SSN cannot be one (secret) and shouldn’t be the other (unique id). Those are two separate problems that require two different solutions.
I’d like to go on a slightly philosophical tangent here about identity. A more fundamental question to ask is, do we need a universal unique identifier for each person on the planet. The engineer in me says, yes of course. But the rest of me bristles at the idea. What is the true utility of a universal ID? Can I, as an individual, demand that I be forgotten? A UUID is a link between my past and future, and there may legitimately be times that I would like to sever that linkage. Think about how someone would be identified 200 years ago. It’s unlikely there would be a photograph. There were no fingerprint or DNA databases. Aside from relying on another person for identification, there was really no way to confirm someone’s identity. There’s a certain freedom in that, as well as the potential for abuse.
So do we need a UUID and who needs it? Let’s think about some of the institutions that use your SSN now. Your doctor asks for your SSN, but they don’t need it. They need a system to identify you for a couple reasons:
- Your medical history
- Health insurance and billing
Technically your medical history belongs to you. It’s useful for your doctor to have and be able to share with others. But there is no reason they need to use the SSN. What if instead you provided them a signed, access token to your medical records. When other institution needed access, you could grant them access with a unique token as well. In the event that you were done working with a particular doctor’s office, you could revoke the token and thereby their access. This is your information after all, and the doctors charge you plenty to add information to it.
Health insurance and billing is mostly handled today between your doctor’s office and the insurance company in a manner I can only describe as arcane and byzantine. There are entire industries that exist solely to navigate the twisted morass that is our healthcare debacle… I mean system. The point is, this is their problem, not yours. So it’s up to them to give you a unique identifier, which they do. It’s on your healthcare card. If they need to verify that the person making the claim is actually you, then they should set up a two-factor confirmation system. In that case, they could issue you a private key that you use to generate signed confirmation messages.
In both examples we are using a private/public key pair, wherein you never give anyone access to your private key. This enables you to both verify your identity and control access to sensitive information. This is security 101. Additionally, the unique identifier that your doctor and insurance company use for you is different and unrelated. If your insurance company is compromised, the information cannot then be used to access your doctor’s records, let alone your financial history and bank accounts.
Reduce the value of the information and limit the scope of usefulness for each ID.
What if your private key is compromised? Well the good news is that you would be to generate a new private key, and void all existing public keys and certificates tied to the original private key. Of course the burden of proof would be higher to issue the void command, but at least it isn’t a 9 digit number that you cannot change and that haunts you for your entire life.
Of course I realize that instituting such a program would be a massive undertaking both financially and logistically. Then again, how much is the current situation impacting us economically? The amount of money that credit card companies and financial institutions have to spend paying off fraud should easily balance out the cost of creating a better way to identify people. It’s in our best interest as the public, and it’s in the best interest of the banks, lenders, and credit agencies. Heck it’s even in the best interest of the government. I don’t expect immediate change since all of the systems tend to move slowly, but an important first step would be for the SSA (the Social Security Administration) to condemn and make a policy against the continued use of the SSN as a universal identifier in any system.