I’ll be speaking at the Miami KnowledgeNet event on July 14th. The event will be held from noon to 1:30pm at
LexisNexis Risk Solutions
5000 T-Rex Avenue
Boca Raton, FL 33487
I’ll be talking about Privacy By Design, it’s history, justification, principles and ideas for implementation. If you’re interested in attending go to the IAPP KnowledgeNet site.
Social Security Numbers have the unenviable position of being both identifiers and passwords. They are designed to uniquely identify individuals (in the US) but yet are supposed to be secret enough that companies’ attempt to rely on them as passwords, keys to that person’s account. However, unlike passwords in online systems which are (if proper protection is taken) transmitted and stored as hashes to prevent easedroppers or hackers from learning the password, SSNsare most often transmitted and stored in plain text. The SSN is usually given to an employee of the company who must be trusted not to reveal it or use it for disallowed purposes. When one looks that this password is shared amongst many companies, the vulnerability is clear.
Social security numbers should really only be used as unique identifiers, and then only to correlate accounts and tie an account to a specific individual. However, at no time should the SSN be used to identify a physical person as the person behind the social security number. Just because someone knows an SSN does not mean that they should be authorized as the owner of that SSN.
To push this notion through society, I would like to propose a law that would force companies to stop relying on SSN as proof of identity. How do we do this? Not by making sanctions and imposing regulations on companies for misuse, but a simply by pubilshing Social Security Numbers and names of the corresponding owners. The simple feat of maknig this information widely accessible and known to be widely accessible would quickly force companies relying on the false security of the SSN to reengineer their processes not to rely on that false notion.
The recent revelation that Google is applying to allow driverless cars on the road in Nevada combined with the stink over E-Verify (the backdoor National ID attempt) and its collection of drivers license data ala REAL ID got me thinking. What happens to the identity infrastructure in this country if drivers and necessarily drivers licenses go by the wayside? It has always been a pet peeve of mine that drivers license have become the defacto identification in our society, because so many people have them and must have them to drive. Its a classic case of mission creep, where drivers license, which once were solely issued to display that the bearer had a license to drive (i.e. met the minimum standards) but now are used in all sorts of scenarios to verify identity. In the future it seems, people might not need this ubiquitous item. Its quite possible that most people may just transition to state issued ID cards, but it is interesting the pontificate on the alternative.