Time to Retire Social Security Numbers
There’s no way to sugarcoat it: The hackers who breached the credit bureau Equifax scored big. They made off with the personal identities of 143 million Americans — names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers. With that kind of information circulating on black markets, criminals can perpetrate all sorts of financial fraud, from opening credit cards in other people’s names to claiming their tax returns. It will upturn lives.
Along with hurricane recovery, addressing this problem should be an urgent priority for Congress. There should be two main focuses.
First, lawmakers should harden the country’s tactical defenses by passing a national data breach bill, requiring companies to disclose their cybersecurity policies, and creating new training opportunities to eliminate the country’s cybersecurity workforce shortage. But while these changes might help prevent the next attack, they will not do anything to help victims whose Social Security numbers are now in the wild. So, lawmakers should also adopt a more fundamental shift in strategy when it comes to protecting people’s identities: They should replace America’s outdated system of Social Security numbers with a secure alternative that effectively turns other forms of personal information into worthless trivia.
The reason criminals go after the kinds of data that hackers plundered from Equifax is that government agencies, banks, hospitals, and others routinely use Social Security numbers, sometimes in combination with other personal information, to identify and authenticate people for official purposes. In effect, Social Security numbers function as both usernames and passwords, albeit ones that are widely shared and impossible to change. This leads to an inherent contradiction: citizens are routinely advised by government security experts not to share their Social Security numbers, but then find they must share this information to rent an apartment or apply for a marriage license.
Thus, victims of the recent breach may find themselves hounded by creditors they have never heard of, unable to buy a home, or denied a new line of credit. Survivors of Hurricanes Harvey and Irma might find themselves particularly vulnerable to attack given the massive number of payments going out from insurers and the federal government. Fraudsters even use stolen personal information to steal healthcare benefits. So, not only do victims face unpaid hospital bills for services they never received, they could find that another person’s medical history has made its way into their own records. The resulting misinformation can create life-and-death situations for patients who face delays, misdiagnoses, and even incorrect treatments until they can correct the records.
The Equifax attack was extraordinary in its scale. The only silver lining is that it is now abundantly clear we need an equally extraordinary response. To do that, Congress should prohibit the use of Social Security numbers as a personal identifier outside of the Social Security system itself. The fact is they were never designed for all these other purposes — indeed, for a time, Social Security cards even plainly stated “not for identification.” Retiring them from that function would immediately devalue much of the data hackers grabbed from Equifax and make similar future cyberattacks less profitable.
We should replace the outdated, paper-based system of Social Security numbers with a secure identity system built for the digital era. To accomplish this, Congress must significantly expand the National Strategy for Trusted Identities in Cyberspace, an initiative led by the Department of Commerce to create secure electronic IDs that can be used both commercially and in government.
These electronic IDs would allow individuals to prove their identities (or attributes about their identities) securely to other systems — a complete replacement of the 80-year-old SSN for the digital era. Individuals could use these electronic IDs for a variety of purposes, from applying for credit and signing legal documents to verifying they are over the age of 21 when ordering wine online. The State Department, which already has systems and processes in place to verify the identity of individuals who apply for passports, could issue these electronic IDs. The IDs themselves could be either physical or digital artifacts, such as a smartcard or digital certificate installed in a mobile app.
These changes will require political leadership. But Congress has shown that when disaster strikes, it can avoid partisanship and move quickly to aid victims. Let us hope that Congress can rise to this occasion as well.
Daniel Castro (@CastroTech) is vice president of the Information Technology and Innovation Foundation, a leading science and tech-policy think tank.