In both the Anthem insurance hack and the two Office of Personnel Management hacks this year, attackers gained access to Social Security numbers, affecting 80 million and more than 22 million people respectively. The total between the two is probably less than 102 million (if some people were exposed by both), but given that the population of the United States is about 319 million, you can see how we kind of have a problem here.
Even crazier than the idea that more than one-quarter of SSNs could have been compromised in two hacks is the realization that Anthem and OPM are far from the only large-scale breaches. And since SSNs are tied to tax forms, credit cards, medical records, and even cellphone bills, they are more valuable for identity thieves than other personal data like birthdays, email addresses, and passwords.
Following the Anthem breach, an NPR segment in February looked at the damage to individuals when identity thieves get their Social Security numbers. Adult care provider Brandy Freeman from Jacksonville, Florida, told NPR that one day her boss called her asking why she had filed for unemployment when she already had a job. She didn’t know that her SSN had been compromised or how. “He’s like well you have a big problem,” she said.
And it’s not just Freeman—the United States has a big problem. It seems that no one’s Social Security number is safe; if yours hasn’t been compromised yet, it probably will be soon, given the high rate of large-scale data breaches. But no one knows what the solution to this problem is. The Social Security number system surpassed its original purpose long ago—and now it’s floundering.
You might think the first place to start to fix this mess is the Social Security Administration. After all, that’s the place responsible for giving out the numbers. But the SSA “does not have any research projects focusing on alternatives to the SSN nor are we working with other agencies on this type of research,” representative Dorothy Clark wrote in an email. And the administration seems just as frustrated with the situation as consumers. As it notes in a history on its website, “The Social Security number was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers. … The card was never intended to serve as a personal identification document.”
Today the administration offers consumers guidelines and best practices for keeping SSNs secret and minimizing risk. It points out that private businesses (aside from employers and financial services like banks) can’t legally mandate that consumers provide their number and emphasizes that individuals should think carefully each time they are asked to disclose their number.
But if you’ve ever signed up for, well, basically anything, you know that most people don’t follow this advice. And the administration admits that “just say no” has its downsides. “[Consumers] should know that refusing to give the number might mean doing without the purchase or service for which the number was requested,” Clark wrote.
It’s imperfect, but just creating the existing system took an enormous amount of work. The administration site explains that getting the system off the ground in the first place was an onerous project: “Many said the task was impossible.” And if it seemed like an insurmountable task in 1935 (when the U.S. population was 127 million), it would certainly seem that way now with both physical and digital security to consider. And then there’s the politics of it all.
The idea of a uniform national ID has been floating around for decades and resurges periodically. For example, after the 9/11 attacks, some politicians suggested national IDs as an option for combating terrorism and illegal immigration. In February 2013 the Washington Post published an editorial expressing support for implementing some type of national identification program. The editorial board acknowledged common concerns about tracking and government surveillance (a scenario outlined by privacy advocates like the American Civil Liberties Union) but concluded, “[These] criticisms ring hollow.” It pointed out that passport adoption in the U.S. is at an all-time high in spite of the fact that U.S. passports have contained chips since 2007 that could be used for tracking or even facial recognition. But lawmakers (and voters) on both sides of the political spectrum consistently balk at the idea of a national ID, either because it represents excessive government intervention or because of privacy infringement.
But Kevin Drum noted in Mother Jones in January 2012:
Most of us already have picture IDs in the form of driver licenses. And nearly all of us have a permanent ID number in the form of a Social Security number. So like it or not, if you’re worried about having tons of information about yourself collected into computerized databases—well, that ship sailed a long time ago.
The Social Security Administration itself even says that the numbers have “come to be used as a nearly universal identifier.”
So a de facto national ID already exists, and it’s facing a security crisis. But it’s unlikely to be put out to pasture any time soon. “In general I’m not aware of any organization that is looking to come up with a national identifier,” said Steve Toporoff, a Federal Trade Commission attorney in the Division of Privacy and Identity Protection. “That just doesn’t seem to be in the cards. What people are working on is a move away from the use of Social Security numbers.”
In order to change your behavior so you don’t give out your SSN all the time—and understand why SSNs really are so insecure—it’s helpful to understand the distinction between an “identifier” and an “authenticator.” An identifier is something like a name, a username, or even a bank account number that indicates “who” or “what.” An authenticator is a way of proving that the identifier is valid for the person or entity. Authenticators are something you know (a password), something you have (your car key), or something you are (your body can provide biometrics).
Though they really function better as identifiers, SSNs are often used as authenticators on the assumption that they have been kept secret (something you know). When you call your cable company and a customer service rep asks “What’s your name and what are the last four digits of the social on the account?” they’re using your name as the identifier and the SSN to authenticate it. It’s the same reason that passwords are often insecure authenticators and that many Web services are now offering two-factor authentication like when your bank texts a passcode to your previously registered cellphone number. Something you know isn’t a good authenticator by itself unless that piece of information is truly and totally secret.
Unfortunately, a national ID system might not be an improvement on the SSN situation in the long term anyway. As Toporoff at the FTC points out, “If there were a single alternative then that would suffer the same fate.” In a 2009 Slate piece, Chris Wilson highlighted a Carnegie Mellon study in which an algorithm could use birthday, state of birth, and public records to guess people’s SSNs with up to 10 percent accuracy depending on the state. “The simplest way to improve upon SSNs would be to diversify the way we identify ourselves,” Wilson wrote. “If we started using different ID numbers for different things, you wouldn't be able to take out a line of credit in my name if you stole my driver's license.”
And the government is investing in a system to encourage more diverse verification. The “Identity Ecosystem” would provide secure and interoperable identification and authentication. But the effort isn’t intended to replace SSNs—it’s targeted at online interactions (situations in which we currently use usernames and passwords). The National Institute of Standards and Technology initiative, called the National Strategy for Trusted Identities in Cyberspace, or NSTIC, is working to create cybersecurity collaboration between the public and private sectors to develop a variety of standardized approaches to identification and authentication that can work across different platforms and allow people to choose the right security measure for each type of data they store online. You might not need four authentication steps to guard your microwave’s serial number, but you definitely want serious protection for your child’s medical records.
It’s “about establishing a marketplace where consumers have choice,” said Michael Garcia, the acting director of NSTIC. “All authentication in the end is about being risk-based. You don’t want to overdo security because that can create user burdens, but you don’t want to underdo it because that creates risk.”
Cybersecurity improvements from NSTIC and other organizations will hopefully mean fewer hacks, but they don’t directly address the Social Security number problem. For now the use-SSNs-for-fewer-things approach seems to be the only game in town, and even that is a slow process. Medicare, for example, is overhauling its system so the cards it gives out to policyholders no longer display their Social Security numbers. According to the New York Times, more than 50 million Medicare cards include SSNs. Though this seems like a pretty obvious problem (private insurers that contract with Medicare are already forbidden to put SSNs on cards), no one took action to fix it until President Obama signed a bill mandating new cards in April. The Times reports that Medicare has four years and $320 million from Congress to begin issuing cards that don’t display SSNs. Then the program has another four years to replace all existing Medicare cards. When I asked the Department of Health and Human Services for an update on the early phases of the transition, a representative said that Medicare is waiting for an implementation plan from the White House policy team.
Last year MarketWatch published a piece titled “Is the End of Social Security Numbers at Hand?” The answer is no. For now the best thing you can do is resist giving the number out to entities that don’t have a legal right to use it. But that isn’t much consolation for the millions of Americans whose SSNs have already been compromised. Garcia says, “There is no such thing as a silver bullet in cybersecurity.” Ain’t that the truth.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.