We're long overdue for replacing Social Security Numbers as our main identifier
CNN – and I don’t say this lightly – asked an interesting question today. (Yes, that CNN). Namely, “Why are we still using Social Security numbers (SSNs) to identify ourselves?” After all, they were originally issued solely to organize retirement benefits and the government explicitly stated that SSNs were not to be used for identification. And at just nine digits – with the first five corresponding to the city and year of issuance through 2011 (now randomized) – they’re not the most secure or difficult to guess.
The answer to this maddening question is a quagmire of poor regulations around SSN collection, storage, and dissemination among private sector companies, an unwillingness among citizens to accept an alternative form of national identity, and yet an overwhelming and legitimate need for the government, banks, employers, and (at least some) other organizations to verify identity.
Where this all becomes a problem is around the sloppy handling of sensitive SSN data, something that is more the rule than the exception. As we’ve reported extensively here at Pando, cybersecurity breaches at Target, Sony, Home Depot, Staples, CVS, K-Mart, JP Morgan Chase, Global Payment Systems, Adobe, eBay, PayPal, UPS, the USPS, and other prominent companies have leaked some combination of consumer SSNs, credit card data (including billing address), email address, and passwords.
Often it’s not even that hard to get access to this data, with many data brokerages willingly (and legally) selling access to hundreds of millions of records to corporations without the knowledge of these consumers.
There’s been a movement among consumer advocates lately to limit the use of SSNs outside of employment, tax, banking, and federal aid scenarios. The Social Security Administration website lists just 15 instances where it is required to provide a SSN. But, there’s clearly no reason why your cable or cell phone provider needs your SSN. Even if they’re extending you credit, your name, date of birth, and current/past address(es) are typically enough to pull a consumer credit report. On the other hand, requesting credit from a bank almost always requires a SSN (or alternatively a Taxpayer ID Number). The more often this information is shared, the greater the likelihood that it is mishandled and ends up in the wrong hands.
Unfortunately, over the last century, SSNs have gone from a single purpose identifier related to retirement benefits to a global identification method. The problem is, the system was never designed for this kind of use. As CNN explains:
When it was created in 1936, the SSN had a single purpose: tracking what U.S. workers earned to determine benefit levels.
In fact, the card read: "FOR SOCIAL SECURITY PURPOSES -- NOT FOR IDENTIFICATION" until 1972. ...
When IBM computers arrived in the 1960s, they ushered in an age of SSNs as IDs. In 1961, the federal government started using it for employees, even though most are not eligible to collect Social Security. In 1962, the IRS used it for taxpayers. Law then compelled banks to join in. Colleges and hospitals soon followed suit. Replacing SSNs as the primary identifier of US citizens is a monumental task and one that has garnered little support among consumers who, rightly, fear housing any more sensitive information under a single database. But if the recent rise in large scale corporate hacks is any indication, it’s more important today than ever to reconsider how we view identity here in the US. Hell, even Facebook gives me more control of who gets access to which pieces of my online identity.
The solution likely demands a combination of approaches. Certainly the private sector must deploy better data security practices to limit the number of large scale cyber-breaches, however this will forever remain a game of whack-a-mole with evolving security threats. Another option is to implement some form of biometric security – particularly in the financial services sector – so that no one can “steal” your identity without also stealing your body. This option is particularly unpopular among privacy advocates and technology may not yet be at a point where it’s efficient and economical enough to deploy widely.
It also makes sense to institute stricter regulations around the collection, storage, and dissemination of SSN or other consumer identity data. For example, there’s no reason 99 percent of merchants need to know or store SSNs (or any future replacement identifier), particularly for targeting in advertising, yet there are no regulations governing their use today. In the public sector, on the other hand, The Privacy Act of 1974 (5 USC 552a) mandates that any federal, state, or local government agencies tell consumers four things before requesting SSNs: Whether disclosure of your Social Security Number is required or optional; What law authorizes them to ask for your Social Security Number; How your Social Security Number will be used if you give it to them; and The consequences of failure to provide an SSN. There’s no reason these requirements shouldn’t be extended to the private sector as well.
We all know that, for better or for worse, social security numbers hold the key to our financial identities. With that in mind, is doesn’t make sense to ignore the obvious need to reconsider how we manage this data. Consumers who are fearful of government (or private sector) prying would be wise to consider the alternatives. Today, the government and likely tens of thousands of organizations you have limited to no official interaction with know your name, gender, SSN, where you live, the state of your finances, your shopping and browsing habits, and tons more information.
To think that a more thoughtfully constructed and better regulated system would be worse than the current free-for-all is foolish, even for the most cynical of government critics.