White House Cyber Coordinator Rob Joyce is seeking agency and department input on potential replacements for what he calls a “flawed” Social Security number system.
“I feel very strongly that the Social Security number has outlived its usefulness,” said Joyce, who spoke at the Washington Post Cyber Summit on Tuesday. “We’ve called for the departments and agencies to bring forward their ideas.”
Joyce said that he supports a public-private key system that would use public facing and changeable identifiers for less secure environments and a private and more permanent number for secure use.
Joyce explained that each time a person’s Social Security number is used, the vulnerability of that number increases. And, according to the Social Security Administration website, the SSN may be the most widely used numbering system in the United States.
The Social Security number was created in 1936 to track the earning histories of U.S. workers and was never intended for use as a personal identification document, according to the SSA website. However, in 1943 an executive order required all federal agencies to use the SSN for future identification purposes, and the 1960s and ‘70s saw legislation that mandated the use of SSN in hospitals, banks and many federal programs.
According to Joyce, a core problem of the SSN system is that it cannot be rolled back after known compromise occurs. In fact, Joyce said that he personally knows of four times his Social Security number has been compromised.
The most recent major compromise of Social Security numbers and other personally identifiable information by the credit monitoring service, Equifax, also raised concern over the regulations allowing certain entities to possess Social Security numbers.
“There should be a government role in some of that,” said Joyce, pointing particularly to the problem that consumers don’t get a choice in whether credit monitoring services get to have their personal data.
“Over half of Americans now have this private number public,” Daniel Castro, vice president of the Information Technology and Innovation Foundation, told Federal Times. “That’s why it’s such a big deal right now.”
Castro explained that the kind of information obtained in the Equifax breach, such as names, birth dates and Social Security numbers, can all be used to do things like open a bank account in someone’s name.
“We have to stop using the Social Security number to verify someone’s ID,” said Castro, adding that he thinks the use of the SSN to do things like open bank accounts should be outlawed. “The problem is not having a number to identify you. The problem is having a number to identify you that’s supposed to be secret but is actually shared with everyone else.”
However, despite Joyce’s endorsement of finding a new digital identification process, Castro said that the federal government likely won’t have the momentum to change things any time soon, as the different branches often are “too insular on [their] outlook on this issue.”
In 2015, the federal government founded a Trusted Identities Group within the National Institute for Standards and Technology facilitate the use of secure digital identity solutions, which has released guidance for federal agencies warning against the misuse and over use of the SSN.
Special Publication 800-63A on enrollment and identity proofing said that “overreliance on the SSN can contribute to misuse and place the applicant at risk of harm, such as through identity theft,” but also acknowledged the need for credential service providers to use SSNs in certain circumstances.
Federal agencies continue to over-collect, over-use and over-display Social Security numbers, leading to the an unnecessarily high risk of identity theft.
Castro said that the Trusted Identities Group needs to be bigger to fully affect change in this space.
“It’s very small. I think they’ve laid a bit of the technical groundwork for what it would look like,” said Castro.
Funding also poses an issue for any potential new ID system, as Castro noted that citizens aren’t likely to pay for a government service that was previously free. He suggested mandating that organizations like Equifax who expose citizen data pay for those affected to receive digital identifiers in place of their SSN.
Ideally, Castro said, a new digital identifier would offer a single identity with multiple components, so that the component required for tax forms would be separate from the component used to get a library card.