Recently a friend of mine lost their social security card, among other important documents, and ran into the unfortunate situation of needing to help regain them. I spent a good chunk of the day helping them do so (driving them to the DMV, etc.), and began thinking a lot more about what it means to prove your identity. I also began thinking about the challenges in doing so, and realized just how inadequate today’s system for doing so is. I figured this would make for an interesting blog topic, and ties into my thoughts on social media quite well as a result.
Let’s start this off with an example situation: Imagine I had a million dollars to give only to you. I don’t want to come find you, so I decide to give you a call so I can get your information to mail you a check. How would you prove to me that you are you, without me knowing what you look like, or any other things about you? For most people, this starts with a name, a social security number, and some kind of secret answer (what your address is, your mother’s maiden name, etc.) What else could you provide outside of those things to prove who you are though? Would making a public Facebook post that I could check on your profile be sufficient? Maybe you want me to verify with an email address? Every day we verify our identity in little ways, from the websites we login to, to the things that we buy, to the places we go.
Now let’s take this in reverse: Let’s imagine someone who isn’t you tries to claim this reward. What is an acceptable way for me to try and verify your identity? If this person gives me your social security number, full name, and address, is this enough information? What if they’ve hacked your Twitter, and use that to “verify their identity”? Imagine they can list every address you’ve ever lived at, where you were born, and the name of your first pet. How can you know this person wasn’t actually you? They even know the names of your siblings and several of your friends vouched for them!
Identity isn’t a single property of a person: it’s a collection of properties that make up an entire person. Verifying your identity is tough because (at least in the U.S.), we don’t assign a proper way to validate who someone is. Social security numbers are often used to fulfill this purpose, but with 50% of the U.S. having theirs’ stolen in last year’s Equifax data breach, the numbers themselves being very insecure to begin with, and the fact that they weren’t designed with this purpose in mind originally, these numbers really should not be used for this purpose. Which begs the question, how else can we identify someone?
One of the best ideas I’ve seen for this makes use of asymmetric cryptography, or public-key cryptography. In essence, everyone in the world would be given a public key and a private key at birth. These keys could be randomly generated at any time; and when private keys are stolen, could be quickly and efficiently regenerated for any number of citizens (you can’t get a new social security number until your number is actually stolen AND being used by the thief. If it’s only stolen, you can’t replace it). Then, when you want to prove your identity you can write a message with your private key (which only you have), and then whoever wants to verify your identity can de-crypt it with the public key (which anyone can have). Because your public key can’t do the encryption, only you write the initial message.
The benefits of such a system are of course huge: You no longer need to give the secretive part of your identity to large corporations, replacing your keys is as simple as the click of a button, and this kind of security was designed for this explicit purpose from the beginning. Alas, such a system is most likely a pipe dream for the time being with how slow our government moves. I’d love to be wrong on this, but chances are that such a system will take many decades just to get off the ground and into congress. With that said, what are the consequences of not having such a system? I think we’re about to find out in the coming years.
As I previously mentioned, about 50% of American’s have had their social security numbers (SSNs) leaked thanks to Equifax. The exact number of SSN’s stolen was 145.5 million. Here’s the thing: There’s only approximately 328 million people in the United States according to the U.S. census site. Equifax is a credit reporting company, meaning that they most likely don’t have data on folks who don’t have a credit line of some kind. So then how many people do they actually have social security numbers for? Equifax is a publicly traded company, they don’t just get your number when you’re born, you have to open some kind of line of credit (or need a credit check of some sort) for them to even get it. I believe that more than 90% of the Americans may have had their social security numbers stolen based on this. Maybe more.
If that’s the case, how can anyone be 100% confident that someone is who they say they are? Technology like “Deep Fakes” are getting impressively good, so even if we did a video call in our original scenario, it would still be impossible for me to ever be 100% confident that you are who you say you are. If we can’t trust what we see, what we hear, and what identification cards we are given, how can we ever be confident with our identities? I think the answer is we can’t. Ultimately, we are stuck in a pretty dire situation that’s looking pretty bleak to be honest. So if that’s how the situation looks now, what will it look like in 10 years? I don’t think it’ll be great if we aren’t careful.
The next question then becomes: what can we do now? The first thing is making sure you keep your identity as secure as possible. Claim your name first on websites like Facebook and Twitter, never carry your social security card around, when asked for personal information be extra wary of who you give it to, etc. Make sure to think about what all of that actually means however. Claiming your name on those websites doesn’t mean you have to use them, and doing so ensures no one can use them against you in the future. Carrying around your social security card may be obvious, but what about a debit card, a direct access to your bank account? For personal information, even little things like your birth year can be incredibly revealing, even when given for a silly Facebook survey.
Even with this though, I think that over the next decade we’re going to see a large increase in identity issues, both for those in the public eye (movie stars, politicians, etc.), as well as average citizens. The above can help you confirm your identity, but it doesn’t prevent someone from trying to steal it. Most credit card companies aren’t going to check your Facebook when you apply for one, so the chances of someone falsely applying for one under your identity remain the same. The best way to prevent someone from stealing your identity for good is going to continue to be actively monitoring things that are important to you. Check your credit score (for free) through websites like Credit Karma, put freezes on your credit accounts when you know you won’t be opening new lines anytime soon, setup Google Alerts for information pertaining to you, and use websites like pipl to see what information about you is already online. You can’t prevent someone who is determined from stealing your identity, but you can be prepared to take it back.