On October 4, 2017, following the extensive security failure of Equifax Inc., reports indicate that the Trump administration is exploring alternatives to the standard means of identity provenance: Social Security numbers.
Special assistant to the president and White House cybersecurity coordinator Rob Joyce spoke Tuesday at a Washington cyber conference on what he described as an outdated identity system. "I feel very strongly that the Social Security number has outlived its usefulness. Every time we use the Social Security number, you put it at risk."
In light of the fact that 143 million US customers’ private information was accessed by hackers, the 45th presidential administration is leaning on other federal departments to help find an adequate replacement for the existing system, while exposing its weaknesses.
Appearing before the House Energy and Commerce Committee in an effort to offer an explanation for the hack was Equifax CEO Richard Smith, who was the recipient of admonition from both sides of the political aisle. Smith faced questions regarding the scale of the data breach and why Equifax executives failed to act swiftly to disclose the information. Mere days after the hack, three CEOs of Equifax sold shares worth $2 million (according to the SEC) but claim to have had no knowledge of the attack.
Smith pointed to a growing number of hackers who are targeting Social Security numbers as evidence of their vulnerability. He said:
"The concept of a Social Security number in this environment being private and secure – I think it’s time as a country to think beyond that. What is a better way to identify consumers in our country in a very secure way? I think that way is something different than an SSN, a date of birth and a name.”
Joyce indicated that a better system would include the implementation of a “modern cryptographic identifier," going on to say, “It’s a flawed system that we can’t roll back that risk after we know we’ve had a compromise. I personally know my Social Security number has been compromised at least four times in my lifetime. That’s just untenable.”
Examples that harken back to Estonia's digital identity program were made by Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology in Washington, as he described a system wherein a "physical token," embedded with a private key, could be issued to individuals in conjunction with a PIN. This would allow citizens to establish that they were who they claim to be, the same way one would with a debit card.
“Your pin unlocks your ability to use that big number [or private key],” said Hall, who acknowledged that while “it’s very promising” as well as technically feasible, it is still a "pretty big endeavor," with a substantial cost for deployment to every US citizen.
Bob Stasio, fellow at the Truman National Security Project and former chief of operations at the National Security Agency’s Cyber Operations Center, pointed to blockchain technology as a means of creating numbers that are mathematically impossible to maliciously replicate. Rather than relying on a numeric system that was implemented in 1936, blockchain technology can provide "a much more efficient and mathematically sound method of transaction, identification and validation."
According to Bruce Schneier, fellow at Harvard's Kennedy School of Government, the Social Security number is targeted by thieves because of the access it can provide. He depicts the numbers as an archaic institution. "They appeared at an age when we didn’t have other numbers,” Schneier explained, going on to call the numbers "part of our aging infrastructure" that "sooner or later we as a society need to fix.”
Schneier referenced current world examples, such as the Aadhaar card, issued in India to 1.2 billion individuals and based on the biometric data found in a fingerprint analysis or iris scan. Still, "magic math costs money," said Schneier.
A shift toward a more modern approach may require congressional action. Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington thinks so. He said, "You’d need to change a lot of existing public law," adding, “There would need to be extensive hearings and study about the consequences. It’s a complicated issue."
To avoid significant challenges in moving away from the vestigial Social Security number model, the transition process is likely to involve proof-of-concept test pools alongside thorough debates among legislators to fine-tune the system and policies prior to a mass-distribution. Still, the development represents what may be a substantial leap forward for society with government-issued, blockchain-backed identification technology.