Shostack + Friends Blog

 

Voter Records, SSN and Commercial Authentication

[no description provided] VerifiedbyVisa
A Wednesday letter from the Presidential Advisory Commission on Election Integrity gives secretaries of state about two weeks to provide about a dozen points of voter data. That also would include dates of birth, the last four digits of voters' Social Security numbers... (NYTimes story [link to https://www.nytimes.com/aponline/2017/06/29/us/ap-us-voting-commission.html no longer works] ) Of this writing, 44 states have refused.

I want to consider only the information security aspects of the letter [link to http://i2.cdn.turner.com/cnn/2017/images/06/30/peic.letter.to.maine[2].pdf no longer works], which also states that "Please be aware that any documents that are submitted to the full Commission will also be made available to the public."

Publishing a list of SSNs is prohibited by 42 USC 405(c)(2)(C)(Viii), but that only applies to "SSNs or related record[s]." Related record means "any record, list, or compilation that indicates, directly or indirectly, the identity of any individual with respect to whom a social security account number or a request for a social security account number is maintained pursuant to this clause." So its unclear to me if that law prohibits publishing the last 4 digits of the SSN in this way.

So, if a list of names, addresses, datas of birth and last four digits of the SSN of every voter are made available, what does that to to they myth that those selfsame four digits can be used as an authenticator?

I'd like to thank the administration for generating so much winning in authentication, and wish the very best of luck to everyone who now needs to scramble to find an alternate authentication technique.

Image credit: Jeff Hunsaker, "Verified by Visa: Everything We Tell Folks to Avoid."