Shostack + Friends Blog Archive

 

The SSN Is Also A Poor Identifier

oswald-social-security.jpgThere’s an idea floating around that a major problem with SSNs is their dual use as identifiers and authenticators. (For example, Jeremy Epstein, “Misunderstanding the risks of SSNs,” in RISKS-24.29) This is correct, but the phraseology leads to people trying to solve the problem by saying “if we just used SSNs as ID numbers, and made them all public, we’d be fine.”

This is dangerously seductive and wrong.

  • They’re too short: 30% of all possible SSNs have been issued.
  • They lack a check digit. Between these two, you should never design an identifier like this, because any keying error is acceptable, and likely to affect a two people.
  • They’re externally issued. This one is a little subtler, and I will argue by analogy. Mastercard and Visa, who understand risk management, make up their own numbers. They do this so that they can control when the numbers change, rather than being controlled. Seems like good database design to me.
  • As a design principle, compartmentalization adds to resilience. (Kim Cameron had a good post on this, “IBM Researcher Rejects UK Identity Card Scheme.”)

Not only is the SSN a poor identifier, but the use of the SSN as an authenticator will end up living on, even if we published them all, as Pete Lindstrom has suggested. What Lindstrom hopes is to stop the use of SSNs as authenticators, but that’s not done by publicizing them. If we want to stop the use of SSNs as authenticators, we could pass a law to do that. So why not work for that law, rather than one we hope will cause the courts to impose negligence penalties in accordance with our hopes?

Related to the resilience of a system, national ID numbers are inimicable to liberty. The English understood that what a government wants to control, it must first enumerate, and called the enumeration “The Doomsday Book.”

So, using the SSN as “just an identifier” is a bad idea. Publishing a list of them is a baroque and convoluted way to reach a useful goal, although it has great value as a publicity stunt.

(Lee Harvey Oswald’s SSN card via “Examination of Handwriting and Fingerprint Evidence” report to the Select Committee on Assassinations. Note the useful identifier.)

8 comments on "The SSN Is Also A Poor Identifier"

  • Ryan Russell says:

    I don’t get it. What’s the difference between authentication and identity? Is someone confusing the words “authentication” and “authorization” again?
    Also, don’t we already have a law that says that SSNs aren’t to be used for anything but government taxes and social security? You know, the one we ignore all the time? The publishing them all idea, I assume, is supposed to make them so untrustworthy as to be useless for anything but their original purpose. And then everyone voluntarily quits using them for other things. I don’t have that much faith in people.
    Another law which provides for criminal penalties would probably be neccessary. But that would just migrate the problem away from SSNs proper, to private-sector replacement(s). Maybe that helps, I’m not sure. I do believe that the need for some way to look up a person’s financial rating exists, so that need will be met, somehow. And that “somehow” will have similar problems.

  • Ryan Russell says:

    Identity is who you are. Eg, I’m Adam. If I tell people I’m Ryan, I may or may not be able to pull of the impersonation. Authentication is ways of showing you are who you are. Many people could identify us by face or voice, or because we know various secrets. Authorization is the tie of “Ryan may (“is authorized to”) close bugs in the database.
    I’m not sure there’s a good, lifelong way to “look up a persons financial rating,” as useful as it is to be able to do so. Biometrics fail, people lose body parts in accidents, etc.

  • Nikita says:

    Last I checked on the laws for collecting SSN information, they are very lax. They only apply to governmental organizations, so the private-sector can do what it pleases with SSNs, and even there, the government merely has to explain to you why it’s collecting the information.

  • I think it’s important to tease out the harms from using SSN as an authenticator and an identifier. I would be hard-pressed to defend a widely-circulated and even published secret as a valid “something you know.” Adam is spot-on in arguing that this practice should be banned for any serious authentication (and if it’s not serious, why do you need authenticated identities?).
    An interesting question for any lawyer types is how you would go about statutorily labeling a certain action as an authentication, as opposed to a mere identification. The difference is clear to me (see the NAS study “Who Goes There” or Jean Camp’s “Identity in Digital Government” Report) but is it equally clear in legislation and enforcement?
    Adam’s points about the weakness of SSN as an identifier are good. Except, of course, my SSN already is an identifier, to the Soc Sec Administration at very least. Various other gov’t orgs use SSN/name tuples to verify to some degree, and I’m curious how much error at various levels is caused by digit-swapping, etc.
    THe point about external issuance bears further exploration. The flip side of doing things inhouse is liability. If I use SSN as an identifier for my clients, I have to protect my own databases, of course, but the underlying system of issuance, documentation, etc is backed by the full faith & credit of Uncle Sam. If something goes wrong there, everything is FUBAR anyway. If my own system all kinds of fun protections turn out to be vulnerable to some evil-doer, a big ol’ class action will shortly follow.
    So firms and institutions have an incentive to piggy-back on any handy federal system. And we have ourselves an externality…

  • Ryan Russell says:

    I mean, I understand the difference between “identity” (noun), and “authentiacate” (verb) as parts of language… but the article(s) are getting at something different than that, or maybe I’m just reading too much into it. I’m not seeing the difference between the SSN representing me the noun vs. using the SSN to verb as me to some institution. How are they two different problems?

  • Identity is a conceptualization of an individual–as a customer, a citizen, a friend on myspace, etc. Note that individuals have multiple identities: the Allan known to his thesis committee is different than the Allan known to his students.
    An identifier is a property of an identity. A name is an identifier, as is a face. A firm can use an identifier (SSN) to
    map an action (order) to an identity (customer profile). The use of an identifier can be termed with the verb “identify”. The process of identification is matching an identifier with an identity.
    Identifiers may need to be authenticated. This can consist of determining that the presented identifier is valid (e.g. checksum computation, biometrics, etc)
    The identification process may also need to be authenticated. That is, does the presented identifier really correspond to a specific identity. A company can use your name to find information that you need, but demand your SSN before telling you that info. In that case, the SSN is an authenticator, but not an explicit identifier. Alternatively, a company can just ask for your SSN to begin a transaction: by serving as both a key to the database (identifier) and verification of identity (authentication). Finally, a company could insist on using an SSN as a login, but require a password as well; here the SSN is an identifier but not an authenticator.
    Some one can probably explain this more clearly….

  • David Brodbeck says:

    Ryan, think of it by analogy to a computer login. You have a username, which is the identifier. You have a password, which is used for authentication. The situation with the SSN is equivalent to your username and password being the same — using the same piece of information as both identification and authentication. You’re in the catch-22 of having to sometimes give out your username, so that people can email you, while also trying to keep it secret from people who might want to hack into your account. This is obviously unworkable.

  • Ryan Russell says:

    Very good. Thanks to everyone for their attempts, and thanks to David for succeeding. 🙂

Comments are closed.