When Yahoo was hacked, we threw away our passwords and got new ones. When Target was hacked, we threw away our credit cards and got new ones. Now that Equifax has been hacked, we’ll have to throw out our social security cards and get new ones. Alas, such a thing is not currently possible, and that’s a big problem. It’s not that we shouldn’t have a national ID number. A robust credit system requires (1) a standardized system to identify who owes what so the government knows whose stuff to take if a debt is not paid and (2) a standardized system for recording past and current credit so that borrowers can support their creditworthiness. It was point (2) that got hacked, but it was the design of point (1) that makes the hack such a big problem. The social security number (SSN) is poorly suited for its role. As long as the SSN is both the account number and the unchangeable password for all our financial instruments, we will endure costly and rampant fraud. Just as the size of the Target hack forced the US to finally rethink credit card security, the size of the Equifax hack should force us to rethink our national ID security.
The basic silliness of our current system has been well covered by others, but in short, the social security number is merely our de facto national ID in the US, a task for which it was not originally intended and for which it has never been suited. The main problem is that there is no authentication associated with this number—simply knowing the number is considered sufficient proof that you are who you say you are. The number we give to our dental hygienist to organize our records is the same number we recite to receive a loan from the bank. And if you can’t trust a hygienist to not take out a loan in your name, who can you trust? Identity theft was a problem before, but now with one of the credit reporting bureaus leaking essentially everyone’s information, the existing system will be unworkable. Undoubtedly, Congress will make patches in the near future, but this post is for rethinking the national ID system as a whole.
Add authentication
There are many ways to try to add security to the national ID system. I expect that Congress will add a PIN in the short term. That would be an easy-to-implement stopgap measure because at least it could be changed when stolen. A far better solution would be to associate a password-protected online account. Once there is an internet-facing account, huge swaths of financial transactions can be trivially made secure via a variety of forms of authentication that can be attached to it. When signing up for a credit card or a mortgage, the credit card company could send the contract to the account, where it can be digitally signed and returned with the click of a button. Maybe even have all contracts signed this way. A pen signature is a comically bad way to prove that someone if who he says he is—it is easy for a faker to make a signature that looks real, it is easy for a real person to make a signature that looks fake, and no way to check anything at the time of signing. When a contract comes back saying, “David Hagen, ID# 6487-ed51-10b4-611a, agrees to pay back the loan of $21987 for a car SN# 2b7e-1516-28ae-d2a6,” the bank can rest assured that the real David Hagen is driving off with the car, and at other times, the real David Hagen can rest assured that no one is driving off with a car under his name.
Creating these accounts in the first place would necessarily be a bit onerous—on the order of getting a passport. It would be important to carefully verify that the account being created is for a real person and that the person applying for it is who he says he is. Proving this under the current system is kind of hard (which is why we need a national ID service in the first place), but it can be reasonably done by checking a birth certificate, a social security card, and then taking a photo and fingerprints. Fingerprints in particular would be necessary to prevent duplicates.
Use a big number
It would be tempting to simply add authentication to a system that used the social security number as the ID. This would be better than nothing, but the SSN is actually not a good number for ID for several reasons. The first reason is that it is too short. A social security number has 9 decimal digits, which enough to identify 1 billion people. With 450 million numbers already used, 4 million birth a year, and 1.4 million immigrants a year, we have about 100 years left before exhaustion. It is tempting to round up to a 32-bit number (about 4 billion numbers), which would last a few hundred years assuming nothing changes drastically with birth rates or immigration. But ultimately, I think we should not make the mistake allocating just enough to meet current needs, kicking the can to a future that may come sooner than expected. Let’s allocate enough numbers so that we will never run out. I propose using a 64-bit number, which is sixteen hexadecimal digits like 6487-ed51-10b4-611a, which is still quite memorizable, especially as this could replace every other ID I have ever received. At current birth rates this would last trillions of years. Not only is this enough for the USA forever; at a worldwide birth rate of 130 million, we could number all of humanity for hundreds of billions of years. The US could draw from a single batch of numbers to classify visitors and visa holders, those who would not normally receive social security numbers. Ultimately, I would welcome other nations to join a common numbering system so that people could use the same ID no matter where they went.
Make the number completely random
Another problem with the SSN is that there is so much structure to it. Until 2011, numbers were allocated sequentially based on location. So for someone born before 2011, his SSN reveals approximately where and when he was born. Conversely, knowing when and where someone was born makes it possible to make a good guess at his SSN. As a society, we may or may not want the circumstances of all citizens’ birth to be public knowledge, but the structure of the ID number should not make it impossible for anyone to hide this or any other information. The ID number should do one thing and do it well: act as a unique ID number. Therefore, each person’s number should be generated completely randomly.
Add a checksum
Another problem with the SSN is that making a error when writing the number down is very likely to result is a valid SSN, just somebody else’s. It is standard practice to add a couple of redundant digits to any important ID number. Adding n redundant digits typically allows for detecting an error if fewer than n digits are wrong. Two redundant digits is usually good because the two most common errors, writing one digit wrong or reversing two digits, will always be detected. If two of the 16 digits are redundant, the pool would still be big enough to last for billions of years.
Create a national address book
When I moved recently, I had to type or write my new address dozens of times to change it on various accounts. I wished that there was one authoritative place where I could put my address and all these businesses who already knew who I was could just look it up. The national ID system will already be a big database of people; why not add an option for people to store and update their residential address and mailing address? Such a system could also be used for all kinds of things, such as to prevent voting in multiple states. Unlike impersonation which gets all the media attention, this is a form of voting fraud that actually happens.
It’s not just addresses that should be consolidated. There is lots of information that I have to tell the government over and over (phone number, email address, children, spouse, etc.) because it doesn’t store it all in one spot. I am sure there will be privacy objections about creating such a database, but I posit that this will increase privacy rather than decrease it. This is information that the government already stores; it just stores it in many places with varying or perhaps undefined security. Is the WIC database as secure as the IRS database? With a central database, the attack surface is reduced and all data can be stored at maximum security at minimum cost. If you are trying to keep your love child a secret from your coworkers, the IRS can probably be trusted to keep your child support payments secret, but what about the elementary school’s emergency contacts list? A central database also forces decisions to be actually made about what is public and what is private and even allows a citizen to make that decision on an individual basis. Most people don’t have a desire to keep their address a secret. People tend to forget that not that long ago everyone’s address and phone number was published yearly in a giant book and thrown on the doorstep of every house. But some, such as those being pursued by ex-lovers or criminal enterprises, want to keep their address a secret. But there is currently no good way to keep an address secret without severely curtailing one’s interactions. Businesses buy, sell, and trade personal information with minimal regulations and enforcement. Want to keep our address a secret? Better not have any magazine subscriptions, ordering anything online, or vote. But if there was a national address book and especially if everyone was public by default, there would simply be no value in buying or selling something that was available for free. Those who opted out for whatever reason would end up with higher privacy than they currently have.
Value added
The existence of the ZIP Code has been estimated to be worth about $10 billion per year. This system condenses the ambiguous and constantly changing set of addresses into a fixed and finite set of approximate locations. Want to calculate your shipping costs? ZIP Code. Want to add a password to credit cards from out of town? ZIP Code. Want to get a car insurance estimate? ZIP Code. These things could be done without the ZIP Code, but its existence makes them cheaper and easier for both businesses and consumers. Public standards reduce cost and complexity and right now a national ID is the lowest hanging fruit on public standards tree. There is an easy opportunity here for reducing fraud and increasing convenience.